ML031250499
ML031250499 | |
Person / Time | |
---|---|
Site: | Peach Bottom |
Issue date: | 04/24/2003 |
From: | Gallagher M Exelon Nuclear |
To: | Office of Nuclear Reactor Regulation |
References | |
TS 5.5.10.d | |
Download: ML031250499 (190) | |
Text
HPSW System B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 High Pressure Service Water (HPSW) System BASES BACKGROUND The HPSW System is designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. The HPSW System is operated whenever the RHR heat exchangers are required to operate in the shutdown cooling mode or in the suppression pool cooling or spray mode of the RHR System.
The HPSW System consists of two independent and redundant loops. Each loop is made up of a header, two 4500 gpm pumps, a suction source, valves, piping and associated instrumentation. Either of the two loops is capable of providing the required cooling capacity with one pump operating to maintain safe shutdown conditions. Therefore, there are two HPSW subsystems with each subsystem consisting of a HPSW loop with one OPERABLE HPSW pump in the loop. The two subsystems are separated from each other by normally closed motor operated cross tie valves, so that failure of one subsystem will not affect the OPERABILITY of the other subsystem. A line connecting the HPSW System of each unit is also provided. Separation of the two units HPSW Systems is provided by a series of two locked closed, manually operated valves. The HPSW System is designed with sufficient redundancy so that no single active component failure can prevent it from achieving its design function.
The HPSW System is described in the UFSAR, Section 10.7, Reference 1.
Normal cooling water is pumped by the HPSW pumps from the Conowingo Pond through the tube side of the RHR heat exchangers, and discharges to the discharge pond. The required level for the HPSW pumps in the pump bay of the pump structure is 2 89.5 ft Conowingo Datum (CD) and s 113 ft CD. The minimum level ensures net positive suction head and the maximum level corresponds to the level in the pump bay with water solid up to the motor baseplate. An alternate supply and discharge path (from the emergency heat sink) is available in the unlikely event the Conowingo dam fails or the pond floods. This lineup, however, has to be manually aligned.
(continued)
PBAP.S UNIT 2 B 3.7-1 Revision No. 17
HPSW System B 3.7.1 BASES BACKGROUND The system is initiated manually from the control room. If (continued) operating during a loss of coolant accident (LOCA), the system is automatically tripped to allow the diesel generators to automatically power only that equipment necessary to reflood the core. The system is assumed in the analysis to be manually started 10 minutes after the LOCA.
The RHR System design permits the system to be initiated as early as 5 minutes after LPCI initiation.
APPLICABLE The HPSW System removes heat from the suppression pool to SAFETY ANALYSES limit the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the HPSW System to support long term cooling of the reactor or primary containment is discussed in References 2 and 3. These analyses explicitly assume that the HPSW System will provide adequate cooling support to the equipment required for safe shutdown. These analyses include the evaluation of the long term primary containment response after a design basis LOCA.
The safety analyses for long term cooling were performed for various combinations of RHR System failures. The worst case single failure that would affect the performance of the HPSW System is any failure that would disable one loop of the HPSW System. As discussed in the UFSAR, Section 14.6.3 (Ref. 4) for these analyses, manual initiation of the OPERABLE HPSW subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The HPSW flow assumed in the analyses is 4500 gpm with one pump operating in one loop, providing flow through one RHR heat exchanger.
In this case, the maximum suppression chamber water temperature and pressure are 206*F and approximately 33 psig, respectively, well below the design temperature of 281'F and maximum allowable pressure of 56 psig.
The HPSW System satisfies Criterion 3 of the NRC Policy Statement.
LCO Two HPSW subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.
(continued)
PBAPS UNIT 2 B 3.7-2 Revision No. 0
HPSW System B 3.7.1 BASES LCO A HPSW subsystem is considered OPERABLE when:
(continued)
- a. One pump is OPERABLE; and
- b. An OPERABLE flow path is capable of taking suction from the pump structure and transferring the water to the required RHR heat exchanger at the assumed flow rate.
An adequate suction source is not addressed in this LCO since the minimum net positive suction head (89.5 ft Conowingo Datum (CD) in the pump bay) and normal heat sink temperature requirements are bounded by the emergency service water pump and normal heat sink requirements (LCO 3.7.2, 'Emergency Service Water (ESW) System and Normal Heat Sink").
APPLICABILITY In MODES 1, 2, and 3, the HPSW System is required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, 'Residual Heat Removal (RHR) Suppression Pool Cooling," and LCO 3.6.2.4, "Residual Heat Removal (RHR) Suppression Pool Spray") and decay heat removal (LCO 3.4.7, 'Residual Heat Removal (RHR)
Shutdown Cooling System-Hot Shutdown"). The Applicability is therefore consistent with the requirements of these systems.
In MODES 4 and 5, the OPERABILITY requirements of the HPSW System are determined by the systems it supports, and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the RHR shutdown cooling system, which requires portions of the HPSW System to be OPERABLE, will govern HPSW System operation in MODES 4 and 5.
ACTIONS A.1 With one HPSW subsystem inoperable, the inoperable HPSW subsystem must be restored to OPERABLE status within 7 days.
With the unit in this condition, the remaining OPERABLE HPSW subsystem is adequate to perform the HPSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE HPSW subsystem (continued)
PBAPS UNIT 2 B 3.7-3 Revision No. 0
System HPSW HPSW System B 3.7.1 BASES ACTIONS A.1 (continued) could result in loss of HPSW function. The Completion Time is based on the redundant HPSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring HPSW during this period.
The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable HPSW subsystem results in an inoperable RHR shutdown cooling subsystem.
This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.
B.1 With both HPSW subsystems inoperable, the HPSW System is not capable of performing its intended function. At least one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Completion Time for restoring one HPSW subsystem to OPERABLE status, is based on the Completion Times provided for the RHR suppression pool cooling and spray functions.
The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable HPSW subsystem results in an inoperable RHR shutdown cooling subsystem.
This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.
C.1 and C.2 If the HPSW subsystems cannot be restored to OPERABLE status within the associated Completion Times, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
(continued)
PBAPS UNIT 2 B 3.7-4 Revision No. 0
HPSW System B 3.7.1 BASES (continued)
SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verifying the correct alignment for each manual and power operated valve in each HPSW subsystem flow path provides assurance that the proper flow paths will exist for HPSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the HPSW System is a manually initiated system.
This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.
REFERENCES 1. UFSAR, Section 10.7.
- 2. UFSAR, Chapter 14.
- 3. NEDC-32183P, "Power Rerate Safety Analysis Report For Peach Bottom 2 & 3," May 1993.
- 4. UFSAR, Section 14.6.3.
PBAPS UNIT 2 B 3.7-5 Revision No. 0
ESW System and Normal Heat Sink B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Emergency Service Water (ESW) System and Normal Heat Sink BASES BACKGROUND The ESW System is a standby system which is shared between Units 2 and 3. It is designed to provide cooling water for the removal of heat from equipment, such as the diesel generators (DGs) and room coolers for Emergency Core Cooling System equipment, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. Upon receipt of a loss of offsite power signal, or whenever any diesel generator is in operation, the ESW System will provide cooling water to its required loads.
The ESW System consists of two redundant subsystems. Each of the two ESW subsystems consist of a 100% capacity 8000 gpm pump, a suction source, valves, piping and associated instrumentation. Either of the two subsystems is capable of providing the required cooling capacity to support the required systems for both units. Each subsystem provides coolant in separate piping to common headers; one each for the DG coolers, Unit 2 safeguard equipment coolers, and Unit 3 safeguard equipment coolers. The design is such that any single active failure will not affect the ESW System from providing coolant to the required loads.
Cooling water is pumped from the normal heat sink (Conowingo Pond) via the pump structure bay by the ESW pumps to the essential components. After removing heat from the components, the water is discharged to the discharge pond, or the emergency cooling tower in certain test alignments.
An alternate suction supply and discharge path (from the emergency heat sink) is available in the unlikely event the Conowingo dam fails or the pond floods. This lineup, however, has to be manually aligned.
APPLICABLE Sufficient water inventory is available for all ESW System SAFETY ANALYSES post LOCA cooling requirements for a 30 day period with no additional makeup water source available. The ability of the ESW System to support long term cooling of the reactor containment is assumed in evaluations of the equipment required for safe reactor shutdown presented in the UFSAR, Chapter 14 (Ref. 1). These analyses include the evaluation of the long term primary containment response after a design basis LOCA.
(continued)
PBAPS UNIT 2 B 3.7-6 Revision No. 4
ESW System and Normal Heat Sink B 3.7.2 BASES APPLICABLE The ability of the ESW System to provide adequate cooling to SAFETY ANALYSES the identified safety equipment is an implicit assumption (continued) for the safety analyses evaluated in Reference 1. The ability to provide onsite emergency AC power is dependent on the ability of the ESW System to cool the DGs. The long term cooling capability of the RHR and core spray pumps is also dependent on the cooling provided by the ESW System.
ESW provides cooling to the HPCI and RCIC room coolers; however, cooling function is not required to support HPCI or RCIC System operability.
The ESW System, together with the Normal Heat Sink, satisfy Criterion 3 of the NRC Policy Statement.
LCO The ESW subsystems are independent to the degree that each ESW pump has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one subsystem of ESW is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water.
To ensure this requirement is met, two subsystems of ESW must be OPERABLE. At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power.
A subsystem is considered OPERABLE when it has an OPERABLE normal heat sink, one OPERABLE pump, and an OPERABLE flow path capable of taking suction from the pump structure and transferring the water to the appropriate equipment.
The OPERABILITY of the normal heat sink is based on having a minimum and maximum water level in the pump bay of 98.5 ft Conowingo Datum (CD) and 113 ft CD respectively and a maximum water temperature of 90'F.
The isolation of the ESW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ESW System.
APPLICABILITY In MODES 1, 2, and 3, the ESW System and normal heat sink are required to be OPERABLE to support OPERABILITY of the equipment serviced by the ESW System. Therefore, the ESW System and normal heat sink are required to be OPERABLE in these MODES.
(continued)
PBAPS UNIT 2 B 3.7-7 Revision No. 11
ESW System and Normal Heat Sink B 3.7.2 BASES APPLICABILITY In MODES 4 and 5, the OPERABILITY requirements of the ESW (continued) System and normal heat sink are determined by the systems they support, and therefore the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the systems supported by the ESW System and normal heat sink will govern ESW System and normal heat sink OPERABILITY requirements in MODES 4 and 5.
ACTIONS A.1 With one ESW subsystem inoperable, the ESW subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE ESW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE ESW subsystem could result in loss of ESW function.
The 7 day Completion Time is based on the redundant ESW System capabilities afforded by the OPERABLE subsystem, the low probability of an event occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable DG.
.B^1 With water temperature of the normal heat sink > 900 F and
< 920F, the design basis assumptions associated with the initial normal heat sink temperature are bounded provided the temperature of the normal heat sink when averaged over the previous 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period is < 900F. To ensure that the 920 F normal heat sink temperature limit is not exceeded, Required Action B.1 is provided to more frequently monitor the temperature of the normal heat sink. The once per hour completion time takes into consideration normal heat sink temperature variations and the increased monitoring frequency needed to ensure design basis assumptions and equipment limitations are not exceeded in this condition.
If the water temperature of the normal heat sink exceeds 900F when averaged over the previous 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period or the water temperature of the normal heat sink exceeds 920F, Condition C must be entered immediately.
(conti nuedr)
PBAPS UNIT 2 B 3.7-8 Revision No. 33
ESW System and Normal Heat Sink B 3.7.2 BASES ACTIONS -C.1 and C (continued) I If the ESW System cannot be restored to OPERABLE status within the associated Completion Time, or both ESW subsystems are inoperable, or the normal heat sink is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies the water level in the pump bay of the pump structure to be sufficient for the proper operation of the ESW pumps (the pump's ability to meet the minimum flow rate and anticipatory actions required for flood conditions are (continued)
PBAPS UNIT 2 B 3.7-8a Revision No. 33 l
Heat Sink ESW System and Normal ESW System and Normal Heat Sink B 3.7.2 BASES SURVEILLANCE SR 3.7.2.1 (continued)
REQUIREMENTS considered in determining these limits). The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.
SR 3.7.2.2 Verification of the normal heat sink temperature ensures that the heat removal capability of the ESW and HPSW systems is within the DBA analysis. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.
SR 3.7.2.3 Verifying the correct alignment for each manual and power operated valve in each ESW subsystem flow path provides assurance that the proper flow paths will exist for ESW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.
This SR is modified by a Note indicating that isolation of the ESW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ESW System. As such, when all ESW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the ESW System is still OPERABLE.
The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.
(continued)
PBAPS UNIT 2 B 3.7-9 Revision No. 0
ESW System and Normal Heat Sink B 3.7.2 BASES SURVEILLANCE SR 3.7.2.4 REQUIREMENTS (continued) This SR verifies that the ESW System pumps will automatically start to provide cooling water to the required safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal.
Operating experience has shown that these components will usually pass the SR when performed at the 24 month Frequency. Therefore, this Frequency is concluded to be acceptable from a reliability standpoint.
REFERENCES 1. UFSAR, Chapter 14.
PBAPS UNIT 2 B 3.7-10 Revision No. 0
Emergency Heat Sink B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Emergency Heat Sink BASES BACKGROUND The function of the emergency heat sink is to provide heat removal capability so that the Unit 2 and 3 reactors can be safely shutdown in the event of the unavailability of the normal heat sink (Conowingo Pond). The emergency heat sink supports the dissipation of sensible and decay heat so that the two reactors can be shutdown when the normal heat sink is unavailable due to flooding or failure of the Conowingo dam. This function is provided via the Emergency Service Water (ESW) System and the High Pressure Service Water System (HPSW).
The emergency heat sink consists of an induced draft three cell cooling tower with an integral storage reservoir, three emergency cooling tower fans, two ESW booster pumps, valves, piping, and associated instrumentation. The emergency cooling tower, equipment, valves, and piping of the emergency heat sink are designed in accordance with seismic Class I criteria. Standby power is provided to ensure the emergency heat sink is capable of operating during a loss of offsite power.
When the normal heat sink (Conowingo Pond) is lost or when flooding occurs, sluice gates in the pump structure housing the ESW pumps and HPSW pumps are closed. Water is then provided through two gravity fed lines from the emergency heat sink reservoir into the pump structure pump bays. The ESW and HPSW pumps then pump cooling water to heat exchangers required to bring the Unit 2 and 3 reactors to safe shutdown conditions. Return water from the HPSW System flows directly to two of the three cells of the emergency cooling tower. Return water from the ESW System flows through one of the two ESW booster pumps and is pumped into one of the emergency cooling tower cells used by the HPSW System. This configuration allows for closed cycle operation of the ESW and HPSW Systems.
Sufficient capacity (3.7 million gallons of water) is available, when the minimum water level is 17 feet above the bottom of the emergency heat sink reservoir, to support simultaneous shutdown of Units 2 and 3 for 7 days without makeup water. After 7 days, makeup water will be provided from the Susquehanna River or from tank trucks.
(continued)
PBAPS UNIT 2 B 3.7-11 Revision No. 0
Emergency Heat Sink B 3.7.3 BASES (continued)
APPLICABLE The emergency heat sink is required to support removal of SAFETY ANALYSES heat from the Unit 2 and 3 reactors, primary containments, and other safety related equipment by providing a seismic Class I heat sink for the ESW and HPSW Systems for shutdown of the reactors when the normal non-safety grade heat sink (Conowingo Pond) is unavailable. Sufficient water inventory is available to supply all the ESW and HPSW System cooling requirements of both units during shutdown with a concurrent loss of offsite power for a 7 day period with no additional makeup water available. The ability of the emergency heat sink to support the shutdown of both Units 2 and 3 in the event of the loss of the normal heat sink is presented in the UFSAR (Ref. 1).
The Emergency Heat Sink satisfies Criterion 3 of the NRC Policy Statement.
LCO In the event the normal heat sink is unavailable and offsite power is lost, the emergency heat sink is required to provide the minimum heat removal capability for the ESW and HPSW Systems to safely shutdown both units. To ensure this requirement is met, the emergency heat sink must be OPERABLE.
The emergency heat sink is considered OPERABLE when it has an OPERABLE flow path from the ESW System with one OPERABLE ESW booster pump, an OPERABLE flow path from both the Unit 2 and Unit 3 HPSW Systems, two of the three cooling tower cells and two of the three associated fans OPERABLE, one OPERABLE gravity feed line from the emergency heat sink I reservoir into the pump structure bays with the capability to connect the Unit 2 and 3 pump structure bays, or one OPERABLE gravity feed line from the emergency heat sink to the Unit 2 pump structure bay with the Unit 2 and Unit 3 bays not connected, and the capability exists to manually isolate the ESW and HPSW pump structure bays from the Conowingo Pond. Valves in the required flow paths are considered OPERABLE if they can be manually aligned to their correct position. The OPERABILITY of the emergency heat sink also requires a minimum water level in the emergency heat sink reservoir of 17 feet.
(continued)
PBAPS UNIT 2 B 3.7-12 Revision No. 2
Emergency Heat Sink B 3.7.3 BASES LCO Emergency heat sink water temperature is not addressed in (continued) this LCO since the maximum water temperature of the emergency cooling tower reservoir has been demonstrated, based on historical data, to be bounded by the normal heat sink requirements (LCO 3.7.2, "Emergency Service Water (ESW)
System and Normal Heat Sink").
APPLICABILITY In MODES 1, 2, and 3, the emergency heat sink is required to be OPERABLE to provide a seismic Class I source of cooling water to the ESW and HPSW Systems when the normal heat sink is unavailable. Therefore, the emergency heat sink is required to be OPERABLE in these MODES.
In MODES 4 and 5, the OPERABILITY requirements of the emergency heat sink are determined by the systems it supports in the event the normal heat sink is unavailable.
ACTIONS A1 With one required emergency cooling tower fan inoperable, action must be taken to restore the required emergency cooling tower fan to OPERABLE status within 14 days. The 14 day Completion Time is based on the remaining heat removal capability, the low probability of an event occurring requiring the inoperable emergency cooing tower fan to function, and the capability of the remaining emergency cooling tower fan.
B-1 With the emergency heat sink inoperable for reasons other than Condition A, the emergency heat sink must be restored to OPERABLE status within 7 days. With the unit in this condition, the normal heat sink (Conowingo Pond) is adequate to perform the heat removal function; however, the overall reliability is reduced. The 7 day Completion Time is based on the remaining heat removal capability and the low probability of an event occurring requiring the emergency heat sink to be OPERABLE during this time period.
(continued)
PBAPS UNIT 2 B 3.7-13 Revision No. I
Emergency Heat Sink B 3.7.3 BASES ACTIONS C.1 and C.2 (continued)
If the emergency heat sink cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR ensures adequate long term (7 days) cooling can be maintained in the event' of flooding or loss of the Conowingo Pond. With the emergency heat sink water source below the minimum level, the emergency heat sink must be declared inoperable. The 31 day Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.
SR 3.7.3.2 Operating each required emergency cooling tower fan for
- 15 minutes ensures that all required fans are OPERABLE and that all associated controls are functioning properly. It also ensures that fan or motor failure, or excessive vibration, can be detected for corrective action. The 92 day Frequency is based on operating experience, the known reliability of the fan units, and the low probability of significant degradation of the required emergency cooling tower fans occurring between surveillances.
REFERENCES 1. UFSAR, Section 10.24.
PBAPS UNIT 2 B 3.7-14 Revision No. 0
MCREV System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Main Control Room Emergency Ventilation (MCREV) System BASES BACKGROUND The MCREV System limits the maximum temperature of the Main Control Room and provides a radiologically controlled environment from which the unit can be safely operated following a Design Basis Accident (DBA).
The safety related function of MCREV System includes two independent and redundant high efficiency air filtration subsystems and two 100% capacity emergency ventilation supply fans which supply and provide emergency treatment of outside supply air. Each filtration subsystem consists of a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a second HEPA filter, and the associated ductwork and dampers. Either emergency ventilation supply fan can operate in conjunction with either filtration subsystem. Each filtration subsystem receives outside air through the normal ventilation prefilter and air handling unit. Prefilters and HEPA filters remove particulate matter, which may be radioactive.
The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay. A dry gas purge is provided to each MCREV subsystem during idle periods to prevent moisture accumulation in the filters.
The MCREV System is a standby system that is common to both Unit 2 and Unit 3. The two MCREV subsystems must be OPERABLE if conditions requiring MCREV System OPERABILITY exist in either Unit 2 or Unit 3. Upon receipt of the initiation signal(s) (indicative of conditions that could result in radiation exposure to control room personnel), the MCREV System automatically starts and pressurizes the control room to prevent infiltration of contaminated air into the control room. A system of dampers isolates the control room, and outside air, taken in at the normal ventilation intake, is passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles. During normal control room ventilation system restoration following operation of the MCREV system, the automatic initiation function of MCREV will briefly be satisfied by operator actions and controlled procedural steps.
The MCREV System is designed to limit the maximum space temperature of the Control Room to 114'F dry-bulb with ventilation flow, but without air conditioning during a loss of offsite power (LOOP). If all normal ventilation and air conditioning were lost, the control room operator would (continued)
PBAPS UNIT 2 B 3.7-15 Revision No. 34
MCREV System B 3.7.4 BASES BACKGROUND initiate an emergency shutdown of non-essential equipment (continued) and lighting to reduce the heat generation to a minimum.
Heat removal would be accomplished by conduction through the floors, ceilings, and walls to adjacent rooms and to the environment. Additionally, the MCREV System is designed to maintain the control room environment for a 30 day continuous occupancy after a DBA without exceeding 5 rem whole body dose. A single MCREV subsystem will pressurize the control room to prevent infiltration of air from surrounding buildings. MCREV System operation in maintaining control room habitability is discussed in the UFSAR, Chapters 7, 10, and 12, (Refs. 1, 2, and 3, respectively).
APPLICABLE The ability of the MCREV System to maintain the SAFETY ANALYSES habitability of the control room is an explicit assumption for the safety analyses presented in the UFSAR, Chapters 10 and 12 (Refs. 2 and 3, respectively). The MCREV System is assumed to operate following a loss of coolant accident, fuel handling accident, main steam line break, and control rod drop accident, as discussed in the UFSAR, Section 14.9.1;5 (Ref. 4). The radiological doses to control room personnel as a result of the various DBAs are summarized in Reference 4. No single active or passive failure will cause the loss of outside or recirculated air from the control room.
The MCREV System satisfies Criterion 3 of the NRC Policy Statement.
LCO Two redundant subsystems of the MCREV System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem.
Total system failure could result in exceeding a dose of 5 rem to the control room operators in the event of a DBA.
The MCREV System is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both subsystems. A subsystem is considered OPERABLE when its associated:
- a. Fan is OPERABLE; (continued)
PBAPS UNIT 2 B 3.7-16 Revision No. 0
MCREV System B 3.7.4 BASES LCO b. HEPA filter and charcoal adsorbers are not excessively (continued) restricting flow and are capable of performing their filtration functions; and
In addition, the control room boundary must be maintained, including the integrity of the walls, floors, ceilings, and ductwork. Temporary seals may be used to maintain the boundary. In addition, an access door may be opened provided the ability to pressurize the control room is maintained and the capability exists to close the affected door in an expeditious manner.
APPLICABILITY In MODES 1, 2, and 3, the MCREV System must be OPERABLE to control operator exposure during and following a DBA, since the DBA could lead to a fission product release.
In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the MCREV System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:
- a. /During operations with potential for draining the reactor vessel (OPDRVs);
- b. During CORE ALTERATIONS; and
- c. During movement of irradiated fuel assemblies in the secondary containment.
ACTIONS A.]
With one MCREV subsystem inoperable, the inoperable MCREV subsystem must be restored to OPERABLE status within 7 days.
With the unit in this condition, the remaining OPERABLE MCREV subsystem is adequate to maintain control room temperature and to perform control room radiation protection. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could (continued)
PBAPS UNIT 2 B 3.7-17 Revision No. 0
MCREV System MCREV System B 3.7.4 BASES ACTIONS AJ. (continued) result in reduced MCREV System capability. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.
B.1 and B.2 In MODE 1, 2, or 3, if the inoperable MCREV subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
C.1. C.2.1. C.2.2. and C.2.3 The Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.
Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.
During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if the inoperable MCREV subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCREV subsystem may be placed in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent automatic actuation will occur, and that any active failure will be readily detected.
An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes risk.
(continued)
PBAPS UNIT 2 B 3.7-18 Revision No. 0
MCREV System MCREV System B 3.7.4 BASES ACTIONS C.1. C.2.1, C.2.2. and C.2.3 (continued)
If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended.
D.1 If both MCREV subsystems are inoperable in MODE 1, 2, or 3, the MCREV System may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.
E.I. E.2. and E.3 The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.
Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.
During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two MCREV subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes risk.
If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, actions must be initiated (continued)
PBAPS UNIT 2 B 3.7-19 Revision No. 0
MCREV System B 3.7.4 BASES ACTIONS E.1. E.2. and E.3 (continued) immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended.
SURVEILLANCE SR 3.7.4.1 REQU IREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate for > 15 minutes.
Standby systems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every month provides an adequate check on this system. Furthermore, the 31 day Frequency is based on the known reliability of the equipment and the two subsystem redundancy available.
SR 3.7.4.2 This SR verifies that the required MCREV testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).
Specific test frequencies and additional information are discussed in detail in the VFTP.
SR 3.7.4.3 This SR verifies that on an actual or simulated initiation signal, each MCREV subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.4 overlaps this SR to provide complete testing of the safety function. Operating experience has shown that these components will usually pass the SR when performed at the 24 month Frequency. Therefore, this Frequency is concluded to be acceptable from a reliability standpoint.
(continued)
PBAPS UNIT 2 B 3.7-20 Revision No. 0
MCREV System B 3.7.4 BASES SURVEILLANCE SR 3.7.4.4 REQUIREMENTS (continued) This SR verifies the integrity of the control room enclosure, and the assumed inleakage rates of potentially contaminated air. The control room positive pressure, with respect to potentially contaminated adjacent areas (the turbine building), is periodically tested to verify proper function of the MCREV System. During operation, the MCREV System is designed to slightly pressurize the control room 2 0.1 inches water gauge positive pressure with respect to the turbine building to prevent unfiltered inleakage. The MCREV System is designed to provide this positive pressure at a flow rate of 2 2700 cfm and
- 3300 cfm to the control l room when in operation. Manual adjustment of the MCREV System may be required to establish the flow rate of 2 2700 cfm and s 3300 cfm during SR performance. The Frequency of 24 months on a STAGGERED TEST BASIS is consistent with other filtration systems SRs.
REFERENCES 1. UFSAR, Section 7.19.
- 2. UFSAR, Section 10.13.
- 3. UFSAR, Section 12.3.4.
- 4. UFSAR, Section 14.9.1.5.
PBAPS UNIT 2 B 3.7-21 Revision No. 20
Main Condenser Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Main Condenser Offgas BASES BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the condenser. Air and noncondensible gases are collected in the condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser Offgas System. The offgas from the main condenser normally includes radioactive gases.
The Main Condenser Offgas System has been incorporated into the unit design to reduce the gaseous radwaste emission.
This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous mixture is cooled and water vapor removed by the offgas recombiner condenser; the remaining water and condensibles are stripped out by the cooler condenser and moisture separator. The remaining gaseous mixture (i.e., the offgas recombiner effluent) is then processed by a charcoal adsorber bed prior to release.
APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser Offgas System failure event, discussed in the UFSAR, Section 9.4.5 (Ref. 1). The analysis assumes a gross failure in the Main Condenser Offgas System that results in the rupture of the Main Condenser Offgas System pressure boundary. The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 100 (Ref. 2) or the NRC staff approved licensing basis.
The main condenser offgas limits satisfy Criterion 2 of the NRC Policy Statement.
LCO To ensure compliance with the assumptions of the Main Condenser Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a noble gas release to the reactor coolant of 100 pCi/MWt-second after decay of 30 minutes. The LCO is established consistent (continued)
PBAPS UNIT 2 B 3.7-22 Revision No. 0
Main Condenser Offgas B 3.7.5 BASES LCO with this requirement (3293 MWt x 100 pCi/MWt-second =
(continued) 320,000, Xi/second) and is based on the original licensed rated thermal power.
APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Main Condenser Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, steam is not being exhausted to the main condenser and the requirements are not applicable.
ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed to restore the gross gamma activity rate to within the limit. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser Offgas System rupture.
B.1. B.2. B.3.1. and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser Offgas System from the source of the radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain valve in each drain line inboard of the main steam isolation valves is closed. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems.
An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating (continued)
PBAPS UNIT 2 B 3.7-23 Revision No. 0
Main Condenser Offgas B 3.7.5 BASES ACTIONS B.I. B.2. B.3.1. and B.3.2 (continued) experience, to reach the required unit conditions from power conditions in an orderly manner and without full challenging unit systems.
SURVEILLANCE SR 3.7.S.1 REQUIREMENTS This SR, on a 31 day Frequency, requires an isotopic analysis of an offgas sample to ensure that the required limits are satisfied. The noble gases to be sampled are Xe-133, Xe-135, Xe-138, Kr-85m, Kr-87, and Kr-88. If measured rate of radioactivity increases significantlythe (by
> 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the increase is noted, to ensure the increase is not indicative of a sustained increase that the radioactivity rate. The 31 day Frequency is adequate in view of other instrumentation that continuously monitor in offgas, and is acceptable, based on operating experience. the This SR is modified by a Note indicating that the SR is required to be performed until 31 days after any main steamnot line is not isolated and the SJAE is in operation. Only this condition can radioactive fission gases be in the in Condenser Offgas System at significant rates. Main REFERENCES 1. UFSAR, Section 9.4.5.
- 2. 10 CFR 100.
PBAPS UNIT 2 B 3.7-24 Revision No. 0
Main Turbine Bypass System B 3.7.6 B 3.7 Plant SYSTEMS B 3.7.6 Main Turbine Bypass System BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system is 25% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without safety relief valves opening or a reactor scram. The Main Turbine Bypass System consists of nine modulating type hydraulically actuated bypass valves mounted on a valve manifold. The manifold is connected with two steam lines to the four main steam lines upstream of the turbine stop valves. The bypass valves are controlled by the bypass control unit of the Pressure Regulator and Turbine Generator Control System, as discussed in the UFSAR, Section 7.11.3 (Ref. 1). The bypass valves are normally closed. However, if the total steam flow signal exceeds the turbine control valve flow signal of the Pressure Regulator and Turbine Generator Control System, the bypass control unit processes these signals and will output a bypass flow signal to the bypass valves. The bypass valves will then open sequentially to bypass the excess flow through connecting piping and a pressure reducing orifice to the condenser.
APPLICABLE The Main Turbine Bypass System is expected to function SAFETY ANALYSES during the electrical load rejection transient, the turbine trip transient, and the feedwater controller failure maximum demand transient, as described in the UFSAR, Section 14.5.1.1 (Ref. 2), Section 14.5.1.2.1 (Ref. 3), and Section 14.5.2.2 (Ref. 4). However, the feedwater controller maximum demand transient is the limiting licensing basis transient which defines the MCPR operating limit if the Main Turbine Bypass System is inoperable.
Opening the bypass valves during the pressurization events mitigates the increase in reactor vessel pressure, which affects the MCPR during the event.
The Main Turbine Bypass System satisfies Criterion 3 of the NRC Policy Statement.
(continued)
PBAPS UNIT 2 B 3.7-25 Revision No. 0
Main Turbine Bypass System B 3.7.6 BASES ACTIONS B.1 (continued)
If the Main Turbine Bypass System cannot be restored to OPERABLE status or MAPFAC , MCPRp, and the MCPR operating limits for an inoperable Aain Turbine Bypass System are not applied, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at < 25%
RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the applicable safety analyses transients. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner without challenging unit systems.
SURVEILLANCE SR 3.7.6.1 REQUIREMENTS Cycling each main turbine bypass valve through one complete cycle of full-travel demonstrates that the valves are mechanically OPERABLE and will function when required. The 31 day Frequency is based on manufacturer's recommendations (Ref. 5), is consistent with the procedural controls governing valve operation, and ensures correct valve positions. Operating experience has shown that these components usually pass the SR when performed at the 31 day Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.
SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position.
The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
(continued)
PBAPS UNIT 2 B 3.7-27 Revision No. 0
Main Turbine Bypass System B 3.7.6 BASES SURVEILLANCE SR 3.7.6.3 REQUIREMENTS (continued) This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analyses. The response time limits are specified in COLR. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.
REFERENCES 1. UFSAR, Section 7.11.3.
- 2. UFSAR, Section 14.5.1.1.
- 3. UFSAR, Section 14.5.1.2.1.
- 4. UFSAR, Section 14.5.2.2.
- 5. GE Service Information Letter No. 413, "Main Steam Bypass Valve Testing," October 4, 1984.
PBAPS UNIT 2 B 3.7-28 Revision No. 0
Spent Fuel Storage Pool Water Level B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident.
A general description of the spent fuel storage pool design is found in the UFSAR, Section 10.3 (Ref. 1). The assumptions of the fuel handling accident are found in the UFSAR, Section 14.6.4 (Ref. 2).
APPLICABLE The water level above the irradiated fuel assemblies is an SAFETY ANALYSES implicit assumption of the fuel handling accident. A fuel handling accident is evaluated to ensure that the radiological consequences (calculated whole body and thyroid doses at the site boundary) are well below the guidelines set forth in 10 CFR 100 (Ref. 3). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in Reference 2.
The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a fuel handling accident over the spent fuel storage pool are no more severe than those of the fuel handling accident over the reactor core. The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere. This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident.
The spent fuel storage pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement.
LCO The specified water level (232 ft 3 inches plant elevation, which is equivalent to 22 ft over the top of irradiated fuel assemblies seated in the spent fuel storage pool racks) preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool.
(continued)
PBAPS UNIT 2 B 3.7-29 Revision No. 31
Spent Fuel Storage Pool Water Level B 3.7.7 BASES (continued)
APPLICABILITY This LCO applies during movement of fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.
ACTIONS A. I Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of fuel assemblies is not a sufficient reason to require a reactor shutdown.
When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of fuel assemblies in the spent fuel storage pool is suspended immediately. Suspension of this activity shall not preclude completion of movement of a fuel assembly to a safe position. This effectively precludes a spent fuel handling accident from occurring.
SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a fuel handling accident. The water level in the spent fuel storage pool must be checked periodically. The 7 day Frequency is acceptable, based on operating experience, considering that the water volume in the pool is normally stable, and all water level changes are controlled by unit procedures.
REFERENCES 1. UFSAR, Section 10.3.
- 2. UFSAR, Section 14.6.4.
- 3. 10 CFR 100.
PBAPS UNIT 2 B 3.7-30 Revision No. 0
AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The unit AC sources for the Class 1E AC Electrical Power Distribution System consist of the offsite power sources, and the onsite standby power sources (diesel generators (DGs)). As required by UFSAR Sections 1.5 and 8.4.2 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.
The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed.
Each load group has connections to two qualified circuits that connect the unit to multiple offsite power supplies and a single DG.
The two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System are supported by multiple, independent offsite power sources. One of these qualified circuits can be connected to either of two offsite sources: the preferred offsite source is the 230 kV Nottingham-Graceton line which supplies the plant through the 230/13.8 kV startup and emergency auxiliary transformer no. 2; the alternate offsite source is the auto-transformer (500/230 kV) at North Substation which feeds a 230/13.8 kV regulating transformer (startup and emergency auxiliary transformer no. 3), the 3SU regulating transformer switchgear, and the 2SUA switchgear. The aligned source is further stepped down via the 2SU startup transformer switchgear through the 13.2/4.16 kV emergency auxiliary transformer no. 2. The other qualified circuit can be connected to either of two offsite sources: the preferred offsite source is the 230 kV Peach Bottom-Newlinville line which supplies a 230/13.8 kV transformer (startup transformer no. 343); the alternate offsite source is the auto-transformer (500/230 kV) at North Substation which feeds a 230/13.8 kV regulating transformer (startup and emergency auxiliary transformer no. 3) and the 3SU regulating transformer switchgear. The aligned source is further stepped down via the 343SU transformer switchgear (continued) (
PBAPS UNIT 2 B 3.8-1 Revision No. 0 I,
-Operating AC Sources AC Sources - Operating B 3.8.1 BASES BACKGROUND through the 13.2/4.16 kV emergency auxiliary transformer (continued) no. 3. In addition, the alternate source can only be used to meet the requirements of one offsite circuit. A detailed description of the offsite power network and circuits to the onsite Class 1E ESF buses is found in the UFSAR, Sections 8.3 and 8.4 (Ref. 2).
A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E emergency bus or buses. The determination of the operability of a qualified source of offsite power can be made using three factors, that when taken together, describe the design basis calculation requirements for voltage regulation. The combination of these factors ensures that the offsite source(s), which provide power to the plant emergency buses, will be fully capable of supporting the equipment required to achieve and maintain safe shutdown during postulated accidents and transients.
a) An offsite source of electrical power is considered operable if it is within the bounds of analyzed conditions. The most limiting analysis provides the following bounds:
i) The Startup Transformer Load Tap Changer (LTC) is functional; ii) Offsite source grid voltages are maintained above 218.5 kV on the 230 kV system and 498 kV on the 525 kV networks; iii) Electrical buses and breaker alignments are maintained within the bounds of approved plant procedures.
b) Based on specific design analysis, variations to any of these parameters is permissible, usually at the sacrifice of another parameter, based on plant conditions. Specifics regarding these variations are controlled by plant procedures or by condition specific design calculations.
A description of the Unit 3 offsite power sources is provided in the Bases for Unit 3 LCO 3.8.1, "AC Sources-Operating." The description is identical with the exception that the two offsite circuits provide power to the Unit 3 4 kV emergency buses (i.e., each Unit 2 offsite circuit is common to its respective Unit 3 offsite circuit except for the 4 kV emergency bus feeder breakers).
(continued)
PBAPS UNIT 2 B 3.8-2 Revision No. 33
AC Sources - Operating B 3.8.1 BASES BACKGROUND The onsite standby power source for the four 4 kV emergency (continued) buses in each unit consists of four DGs. The four DGs provide onsite standby power for both Unit 2 and Unit 3.
Each DG provides standby power to two 4 kV emergency buses -
one associated with Unit 2 and one associated with Unit 3.
A DG starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) from either Unit 2 or Unit 3 or on an emergency bus degraded voltage or undervoltage signal.
After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of emergency bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal.
The DGs also start and operate in the standby mode without tying to the emergency bus on a LOCA signal alone.
Following the trip of offsite power, all loads are stripped from the emergency bus. When the DG is tied to the emergency bus, loads are then sequentially connected to its respective emergency bus by individual timers associated with each auto-connected load following a permissive from a voltage relay monitoring each emergency bus.
In the event of a loss of both offsite power sources, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown of both units and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA. Within 59 seconds after the initiating signal is received, all automatically connected loads needed to recover the unit or maintain it in a safe condition are returned to service. The failure of any one DG does not impair safe shutdown because each DG serves an independent, redundant 4 kV emergency bus for each unit. The remaining DGs and emergency buses have sufficient capability to mitigate the consequences of a DBA, support the shutdown of the other unit, and maintain both units in a safe condition.
Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3) except that the loading of DG E2 may exceed the 2000 hour rating during the first 10 minutes of a DBA LOCA. Each of the four DGs have the following ratings:
- a. 2600 kW -continuous,
- b. 3000 kW -2000 hours,
- c. 3100 kW -200 hours,
- d. 3250 kW-30 minutes.
(continued)
PBAPS UNIT 2 B 3.8-3 Revision No. 33
AC Sources-Operating B 3.8.1 BASES (continued)
APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 14 (Ref. 4), assume ESF systems are OPERABLE.
The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.
The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC power; and
- b. A worst case single failure.
AC sources satisfy Criterion 3 of the NRC Policy Statement.
LCO Two qualified circuits between the offsite transmission network and the onsite Class IE Distribution System and four separate and independent DGs ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA. In addition, since some equipment required by Unit 2 is powered from Unit 3 sources (i.e., Standby Gas Treatment (SGT) System, emergency heat sink components, and Unit 3 125 VDC battery chargers),
qualified circuit(s) between the offsite transmission network and the Unit 3 onsite Class lE AC electrical power distribution subsystem(s) needed to support this equipment must also be OPERABLE.
An OPERABLE qualified Unit 2 offsite circuit consists of the incoming breaker and disconnect to the startup and emergency auxiliary transformer, the respective circuit path to the emergency auxiliary transformer, and the circuit path to at least three Unit 2 4 kV emergency buses including feeder (continued)
PBAPS UNIT 2 B 3.8-4 Revision No. 0
AC Sources - Operating B 3.8.1 BASES LCO breakers to the three Unit 2 4 kV emergency buses. If at (continued) least one of the two circuits does not provide power or is not capable of providing power to all four Unit 2 4 kV emergency buses, then the Unit 2 4 kV emergency buses that each circuit powers or is capable of powering cannot all be the same (i.e., two feeder breakers on one Unit 2 4 kV emergency bus cannot be inoperable). An OPERABLE qualified Unit 3 offsite circuit's requirements are the same as the Unit 2 circuit's requirements, except that the circuit path, including the feeder breakers, is to the Unit 3 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems-Operating." Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the emergency buses.
Each DG has two ventilation supply fans; a main supply fan and a supplemental supply fan. The supplemental supply fan provides additional air cooling to the generator area.
Whenever outside air temperature is greater than or equal to 80 F, each DG's main supply fan and supplemental supply fan are required to be OPERABLE for the associated DG to be OPERABLE. Whenever, outside air temperature is less than 80 F, the supplemental supply fan is not required to be OPERABLE for the associated DG to be OPERABLE, however, the main supply fan is required to be OPERABLE for the associated DG to be OPERABLE.
Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective Unit 2 4 kV emergency bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in standby with the engine at ambient condition. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads, including tripping of all loads, is a required function for DG OPERABILITY.
(continued)
PBAPS UNIT 2 B 3.8-5 Revision 5
AC Sources -Operating B 3.8.1 BASES LCO In addition, since some equipment required by Unit 2 is (continued) powered from Unit 3 sources, the DG(s) capable of supplying the Unit 3 onsite Class IE AC electrical power distribution subsystem(s) needed to support this equipment must be OPERABLE. The OPERABILITY requirements for these DGs are the same as described above, except that each required DG must be capable of connecting to its respective Unit 3 4 kV emergency bus. (In addition, the Unit 3 ECCS initiation logic SRs are not applicable, as described in SR 3.8.1.21 Bases.)
The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one 4 kV emergency bus division, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to at least three 4 kV emergency buses is required to have OPERABLE automatic transfer interlock mechanisms such that it can provide power to at least three 4 kV emergency buses to support OPERABILITY of that circuit.
APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. t The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."
ACTIONS A.I To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does (continued)
PBAPS UNIT 2 B 3.8-6 Revision 5
AC Sources -Operating B 3.8.1 BASES ACTIONS A.1 (continued) not result in a Required Action not met. However, if a second circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition D, for two offsite circuits inoperable, is entered.
A.2 Required Action A.2, which only applies if one 4 kV emergency bus cannot be powered from any offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features (e.g., system, subsystem, division, component, or device) are designed to be powered from redundant safety related 4 kV emergency buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has no offsite power.
The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal 'time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:
- a. A 4 kV emergency bus has no offsite power supplying its loads; and
- b. A redundant required feature on another 4 kV emergency bus is inoperable.
If,at any time during the existence of this Condition (one offsite circuit inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.
Discovering no offsite power to one 4 kV emergency bus of the onsite Class IE Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.
(continued)
PBAPS UNIT 2 B 3.8-7 Revision 5
AC Sources -Operating B 3.8.1 BASES ACTIONS A-2 (continued)
The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class IE Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.
A.3 The 4 kV emergency bus design and loading is sufficient to allow operation to continue in Condition A for a period not to exceed 7 days. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuits and the four DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.
The 7 day Completion Time takes into account the redundancy, capacity, and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.
The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a or b. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure to meet LCO 3.8.1.a or b, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified Condition after discovery of failure to meet LCO 3.8.1.a or
- b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The (continued)
PBAPS UNIT 2 B 3.8-8 Revision 5
AC Sources-Operating B 3.8.1 BASES ACTIONS A3 (continued)
"AND" connector between the 7 day and 14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.
As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.
B.1 The 33 kV Conowingo Tie-Line, using a separate 33/13.8 kV transformer, can be used to supply the circuit normally supplied by startup and emergency auxiliary transformer no.
- 2. While not a qualified circuit, this alternate source is a direct tie to the Conowingo Hydro Station that provides a highly reliable source of power because: the line and transformers at both ends of the line are dedicated to the support of PBAPS; the tie line is not subject to damage from adverse weather conditions; and, the tie line can be isolated from other parts of the grid when necessary to ensure its availability and stability to support PBAPS. The availability of this highly reliable source of offsite power permits an extension of the allowable out of service time for a DG to 14 days from the discovery of failure to meet LCO 3.8.1.a or b (per Required Action B.5). Therefore, when a DG is inoperable, it is necessary to verify the availability of the Conowingo Tie-Line immediately and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. The Completion Time of "Immediately" reflects the fact that in order to ensure that the full 14 day Completion Time of Required Action B.5 is available for completing preplanned maintenance of a DG, prudent plant practice at PBAPS dictates that the availability of the Conowingo Tie-Line be verified prior to making a DG inoperable for preplanned maintenance. The Conowingo Tie-Line is available and satisfies the requirements of Required Action B.1 if: 1) the Conowingo line is supplying power to the 13.8kV SBO Switchgear 00A306;
- 2) all equipment required, per SE-11, to connect power from the Conowingo Tie-Line to the emergency 4kV buses and to isolate all non-SBO loads from the Conowingo Tie-Line is available and accessible;; and 3) communications with the Conowingo control room indicate that required equipment at Conowingo is available. If Required Action B.1 is not met or the (continued)
PBAPS UNIT 2 B 3.8-9 Revision 38
AC Sources -Operating B 3.8.1 BASES ACTIONS B-1 (continued) status of the Conowingo Tie-Line changes after Required Action B.1 is initially met, Condition C must be immediately entered.
B.2 To ensure a highly reliable power source remains with one DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis.
Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.
B.3 Required Action B.3 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed to be powered from redundant safety related 4 kV emergency buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has an inoperable DG.
The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal
'time zero' for beginning the allowed outage time "clock.'
In this Required Action the Completion Time only begins on discovery that both:
- a. An inoperable DG exists; and
- b. A redundant required feature on another 4 kV emergency bus is inoperable.
If, at any time during the existence of this Condition (one DG inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.
Discovering one DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DGs results in (continued)
PBAPS UNIT 2 B 3.8-10 Revision 5
-Operating AC Sources AC Sources - Operating B 3.8.1 BASES ACTIONS B.3 (continued) starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.
The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class lE Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.
B.4.1 and B.4.2 Required Action B.4.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DGs, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F or H of LCO 3.8.1 is entered, as applicable.
Once the failure is repaired, and the common cause failure no longer exists, Required Action B.4.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DGs, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of those DGs.
In the event the inoperable DG is restored to OPERABLE status prior to completing either B.4.1 or B.4.2, the PBAPS Performance Enhancement Program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer required under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> constraint imposed while in Condition B.
According to Generic Letter 84-15 (Ref. 5), 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.
(continued)
PBAPS UNIT 2 B 3.8-11 Revision 5
-Operating AC Sources AC Sources - Operating B 3.8.1 BASES ACTIONS B.5 (continued)
The availability of the Conowingo Tie-Line provides an additional source which permits operation to continue in Condition B for a period that should not exceed 14 days from discovery of the failure to meet LCO 3.8.1.a or b. In Condition B, the remaining OPERABLE DGs and the normal offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The Completion Time of Required Action B.5 takes into account the enhanced reliability and availability of offsite sources due to the Conowingo Tie-Line, the redundancy, capacity, and capability of the other remaining AC sources, reasonable time for repairs of the affected DG, and low probability of a DBA occurring during this period.
The Completion Time for Required Action B.5 also establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a or b.
If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure of LCO 3.8.1.a or b, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a or b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The 14 day Completion Time would also limit the maximum time a DG is inoperable if the status of the Conowingo Tie-Line changes from being available to being not available (this is discussed in Required Action C.1 Bases discussion).
As in Required Action B.3, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.
(continued)
PBAPS UNIT 2 B 3.8-12 Revision No. I
AC Sources-Operating AC Sources -Operating B 3.8.1 BASES ACTIONS B.5 (continued)
The extended Completion Time for restoration of an inoperable DG afforded by the availability of the Conowingo Tie-Line is intended to allow completion of a diesel generator overhaul; however, subject to the diesel generator reliability program, INPO performance criteria, and good operating practices, using the extended Completion Time is permitted for other reasons. Activities or conditions that increase the probability of a loss of offsite power (i.e.,
switchyard maintenance or severe weather) should be considered when scheduling a diesel generator outage. In addition, the effect of other inoperable plant equipment should be considered when scheduling a diesel generator outage.
C.1 If the availability of the Conowingo Tie-Line is not verified within the Completion Time of Required Action B.1, or if the status of the Conowingo Tie-Line changes after Required Action B.1 is initially met, the DG must be restored to OPERABLE status within 7 days. The 7 day Completion Time begins upon entry into Condition C (i.e.,
upon discovery of failure to meet Required Action B.1).
However, the total time to restore an inoperable DG cannot exceed 14 days (per the Completion Time of Required Action B.5).
The 4 kV emergency bus design and loading is sufficient to allow operation to continue in Condition B for a period that should not exceed 7 days, if the Conowingo Tie-Line is not available (refer to Required Action B.1 Bases discussion).
In Condition C, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class lE Distribution System. The 7 day Completion Time takes into account the redundancy, capacity, and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.
(continued)
PBAPS UNIT 2 B 3.8-13 Revision No. 0
AC Sources-Operating AC Sources -Operating B 3.8.1 BASES ACTIONS 0.1 and D.2 (continued)
Required Action D.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two or more offsite circuits. Required Action D.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed with one 4 kV emergency bus without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. (While this Action allows more than two circuits to be inoperable, Regulatory Guide 1.93 assumed two circuits were all that were required by the LCO, and a loss of those two circuits resulted in a loss of all offsite power to the Class 1E AC Electrical Power Distribution System. Thus, with the Peach Bottom Atomic Power Station design, a loss of more than two offsite circuits results in the same conditions assumed in Regulatory Guide 1.93.) When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are designed with redundant safety related 4 kY emergency buses. Redundant required features failures consist of any of these features that are inoperable because any inoperability is on an emergency bus redundant to an emergency bus with inoperable offsite circuits.
The Completion Time for Required Action D.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:
- a. Two or more offsite circuits are inoperable; and
- b. A required feature is inoperable.
(continued)
PBAPS UNIT 2 B 3.8-14 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued)
If, at any time during the existence of this Condition (two or more offsite circuits inoperable i.e., any combination of Unit 2 and Unit 3 offsite circuits inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.
According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system may not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.
Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:
- a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
- b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.
With two or more of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of all but one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.
(continued)
PBAPS UNIT 2 B 3.8-15 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued)
According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If all offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If all but one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation continues in accordance with Condition A.
E.1 and E.2 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition E are modified by a Note to indicate that when Condition E is entered with no AC source to any 4 kV emergency bus, ACTIONS for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Condition E to provide requirements for the loss of the offsite circuit and one DG without regard to whether a 4 kV emergency bus is de-energized.
LCO 3.8.7 provides the appropriate restrictions for a de-energized 4 kV emergency bus.
According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition E for a period that should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. In Condition E, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition D (loss of two or more offsite circuits). This difference in reliability-is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.
(continued)
PBAPS UNIT 2 B 3.8-16 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS F.1 (continued)
With two or more DGs inoperable, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.
Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.
According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. (Regulatory Guide 1.93 assumed the unit has two DGs. Thus, a loss of both DGs results in a total loss of onsite power. Therefore, a loss of more than two DGs, in the Peach Bottom Atomic Power Station design, results in degradation no worse than that assumed in Regulatory Guide 1.93.)
G.1 and G.2 If the inoperable AC electrical power source(s) cannot be restored to OPERABLE status within the associated Completion Time (Required Action and associated Completion Time of Condition A, C, D, E, or F not met; or Required Action B.2, B.3, B.4.1, B.4.2, or B.5 and associated Completion Time not met), the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
(continued)
PBAPS UNIT 2 B 3.8-17 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS H.1 (continued)
Condition H corresponds to a level of degradation in which redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system may cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.
SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with UFSAR, Section 1.5.1 (Ref. 7). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3),
Regulatory Guide 1.108 (Ref. 8), and Regulatory Guide 1.137 (Ref. 9).
As Noted at the beginning of the SRs, SR 3.8.1.1 through SR 3.8.1.20 are applicable only to the Unit 2 AC sources and SR 3.8.1.21 is applicable only to the Unit 3 AC sources.
Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. The minimum steady state output voltage of 4160 V corresponds to the minimum steady state voltage analyzed in the PBAPS emergency DG voltage regulation study. This value allows for voltage drops to motors and other equipment down through the 120 V level. The specified maximum steady state output voltage of 4400 V is equal to the maximum steady state operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated steady state operating voltages. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3).
(continued)
PBAPS UNIT 2 B 3.8-18 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.1 REQUIREMENTS (continued) This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate independence of offsite circuits is maintained.
The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.
SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition.
To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs have been modified by a Note (Note 2 for SR 3.8.1.2 and Note 1 for SR 3.8.1.7) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup prior to loading.
For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.
In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3 to SR 3.8.1.2, which is only applicable when such modified start procedures are recommended by the manufacturer.
SR 3.8.1.7 requires that, at a 184 day Frequency, the DG starts from standby conditions and achieves required voltage and frequency within 10 seconds. The minimum voltage and frequency stated in the SR are those necessary to ensure the (continued)
PBAPS UNIT 2 B 3.8-19 Revision No. 0
AC Sources-Operating AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)
REQUIREMENTS DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 10 second start requirement supports the assumptions in the design basis LOCA analysis of UFSAR, Section 8.5 (Ref. 10). The 10 second start requirement is not applicable to SR 3.8.1.2 (see Note 3 of SR 3.8.1.2), when a modified start procedure as described above is used. If a modified start is not used, the 10 second start requirement of SR 3.8.1.7 applies.
Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in.lieu of SR 3.8.1.2. This procedure is the intent of Note 1 of SR 3.8.1.2.
To minimize testing of the DGs, Note 4 to SR 3.8.1.2 and Note 2 to SR 3.8.1.7 allow a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
The normal 31 day Frequency for SR 3.8.1.2 is consistent with Regulatory Guide 1.9 (Ref. 3). The 184 day Frequency for SR 3.8.1.7 is a reduction in cold testing consistent with Generic Letter 84-15 (Ref. 5). These Frequencies provide adequate assurance of DG OPERABILITY, while minimizing degradation resulting from testing.
(continued)
PBAPS UNIT 2 B 3.8-20 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 REQUIREMENTS (continued) This Surveillance verifies that the DGs are capable of synchronizing and accepting a load approximately equivalent to that corresponding to the continuous rating. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.
This Surveillance verifies, indirectly, that the DGs are capable of synchronizing and accepting loads equivalent to post accident loads. The DGs are tested at a load approximately equivalent to their continuous duty rating, even though the post accident loads exceed the continuous rating. This is acceptable because regular surveillance testing at post accident loads is injurious to the DG, and imprudent because the same level of assurance in the ability of the DG to provide post accident loads can be developed by monitoring engine parameters during surveillance testing.
The values of the testing parameters can then be qualitatively compared to expected values at post accident engine loads. In making this comparison it is necessary to consider the engine parameters as interrelated indicators of remaining DG capacity, rather than independent indicators.
The important engine parameters to be considered in making this comparison include, fuel rack position, scavenging air pressure, exhaust temperature and pressure, engine output, jacket water temperature, and lube oil temperature. With the DG operating at or near continuous rating and the observed values of the above parameters less than expected post accident values, a qualitative extrapolation which shows the DG is capable of accepting post accident loads can be made without requiring detrimental testing.
Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.
The normal 31 day Frequency for this Surveillance is consistent with Regulatory Guide 1.9 (Ref. 3).
(continued)
PBAPS UNIT 2 B 3.8-21 Revision No. 0
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)
REQUIREMENTS Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized.
Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test.
Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.
Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.
To minimize testing of the DGs, Note 5 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG synchronized to the 4 kV emergency bus of Unit 2 for one periodic test and synchronized to the 4 kV emergency bus of Unit 3 during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, and each unit's breaker control circuitry, which is only being tested every second test (due to the staggering of the tests),
historically have a very low failure rate. Note 5 modifies the specified frequency for each unit's breaker control circuitry to be 62 days. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. In addition, if the test is scheduled to be performed on Unit 3, and the Unit 3 TS allowance that provides an exception to performing the test is used (i.e., when Unit 3 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 3 SR 3.8.2.1 provides an exception to performing this test) or if it is not preferable to perform the test on a unit due to operational concerns (however time is not to exceed 62 days plus grace), then the test shall be performed synchronized to the Unit 2 4 kV emergency bus.
(continued)
PBAPS UNIT 2 B 3.8-22 Revision No. 32
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This allowance is acceptable provided that the associated unit's breaker control circuitry portion of the Surveillance is performed within the SR frequency of 62 days plus SR 3.0.2 allowed grace period or the next scheduled Surveillance after the Technical Specification allowance is no longer applicable.
This SR provides verification that the level of fuel oil in the day tank is adequate for a minimum of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of DG operation at full load. The level, which includes margin to account for the unusable volume of oil, is expressed as an equivalent volume in gallons.
The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and facility operators would be aware of any large uses of fuel oil during this period.
SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.
In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 9). This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance.
SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and automatically transfers fuel oil from its associated storage tank to its associated day tank.
It is required to support continuous operation of standby power sources. This Surveillance provides assurance that (continued)
PBAPS UNIT 2 B 3.8-23 Revision No. 32
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)
REQUIREMENTS the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.
Manual operator action may be used during performance of surveillance testing, in lieu of automatic action and will maintian the automatic transfer system operable. The operator actions will be administratively controlled by the procedures.
The Frequency for this SR is 31 days because the design of the fuel transfer system is such that pumps operate automatically in order to maintain an adequate volume of fuel oil in the day tanks during or following DG testing and proper operation of fuel transfer systems is an inherent part of DG OPERABILITY.
SR 3.8.1.8 Transfer of each 4 kV emergency bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The 24 month Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
Operating experience has shown that these components will pass the SR when performed on the 24 month Frequency.
Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.
This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in Unit 3 Technical Specifications tests the applicable logic associated with Unit 3. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note (continued)
PBAPS UNIT 2 B 3.8-24 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued)
REQUIREMENTS specifying the restriction for not performing the test while the unit is in MODE I or 2 does not have applicability to Unit 3. The Note only applies to Unit 2, thus the Unit 2 Surveillance shall not be performed with Unit 2 in MODE I or
- 2. Credit may be taken for unplanned events that satisfy this SR.
SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each DG is a residual heat removal pump (2000 bhp). This Surveillance may be accomplished by: 1) tripping the DG output breakers with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus, or 2) tripping its associated single largest post-accident load with the DG solely supplying the bus. Currently, the second option is the method PBAPS utilizes because the first method will result in steady state operation outside the allowable voltage and frequency limits. Consistent with Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the diesel speed does not exceed the nominal (synchronous) speed plus 75% of the difference between nominal speed and the overspeed trip setpoint, or 115% of nominal speed, whichever is lower.
The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals.
The 1.8 seconds specified for voltage and the 2.4 seconds specified for frequency are equal to 60% and 80%,
respectively, of the 3 second load sequence interval associated with sequencing the next load following the residual heat removal (RHR) pumps during an undervoltage on the bus concurrent with a LOCA. The voltage and frequency specified are consistent with the design range of the (continued)
PBAPS UNIT 2 B 3.8-25 Revision No. 1
AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)
REQUIJREMENTS equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c provide steady state voltage and frequency values to which the system must recover following load rejection. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by two Notes. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, Note 1 requires that if synchronized to offsite power, testing must be performed using a power factor
- 0.89. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience.
To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.10 Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.8, this Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event, and continue to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.
(continued)
PRAPS UNIT 2 B 3.8-26 Revision No. 1
- Operating AC Sources AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)
REQUIREMENTS In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a power factor
< 0.89. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience.
The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by a Note. To minimize testing of the DGs, the Note allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.11 Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.4, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of all loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time.
The DG auto-start and energization of the associated 4 kV emergency bus time of 10 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.
(continued)
PBAPS UNIT 2 B 3.8-27 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)
REQUIREMENTS The requirement to verify the connection and power supply of auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs shall be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 3 Technical Specifications tests the applicable logic associated with Unit 3. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 3. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR.
(continued)
PBAPS UNIT 2 B 3.8-28 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.12 (continued)
Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.5, this Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for > 5 minutes. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR.
In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without loss of offsite power.
The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, ECCS systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
(continued)
PBAPS UNIT 2 B 3.8-29 Revision No. 1
- Operating AC Sources AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)
REQUIREMENTS The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths.
This SR is modified by a Note. The reason for the Note is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations.
SR 3.8.1.13 Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.12, this Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on an ECCS initiation test signal and critical protective functions (engine overspeed, generator differential overcurrent, generator ground neutral overcurrent, and manual cardox initiation) trip the DG to avert substantial damage to the DG unit. The non-critical trips are bypassed during DBAs and continue to provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately.
The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.
The 24 month Frequency is based on engineering judgment, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
To minimize testing of the DGs, the Note to this SR allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
(continued)
PBAPS UNIT 2 B 3.8-30 Revision No. I
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 REQUIREMENTS (continued) Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.9, this Surveillance requires demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />s-22 hours of which is at a load equivalent to 90% to 100% of the continuous duty rating of the DG, and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.
This Surveillance verifies, indirectly, that the DGs are capable of synchronizing and accepting loads equivalent to post accident loads. The DGs are tested at a load approximately equivalent to their continuous duty rating, even though the post accident loads exceed the continuous rating. This is acceptable because regular surveillance testing at post accident loads is injurious to the DG, and imprudent because the same level of assurance in the ability of the DG to provide post accident loads can be developed by monitoring engine parameters during surveillance testing.
The values of the testing parameters can then be qualitatively compared to expected values at post accident engine loads. In making this comparison it is necessary to consider the engine parameters as interrelated indicators of remaining DG capacity, rather than independent indicators.
The important engine parameters to be considered in making this comparison include, fuel rack position, scavenging air pressure, exhaust temperature and pressure, engine output, jacket water temperature, and lube oil temperature. With the DG operating at or near continuous rating and the observed values of the above parameters less than expected post accident values, a qualitative extrapolation which shows the DG is capable of accepting post accident loads can be made without requiring detrimental testing.
In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor s 0.89. This power factor is chosen to be representative of the actual design basis inductive loading that the DG could (continued)
PBAPS UNIT 2 B 3.8-31 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)
REQUIREMENTS experience. A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.
The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.
This Surveillance has been modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note 2 is provided in recognition that if the offsite electrical power distribution system voltage is high, it may not be possible to raise DG output voltage without creating an overvoltage condition on the emergency bus. Therefore, to ensure the bus voltage and supplied loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage or emergency bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the DGs, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 10 seconds. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a (continued)
PBAPS UNIT 2 B 3.8-32 Revision No. 0
AC Sources-Operating AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued)
REQUIREMENTS period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. To minimize testing of the DGs, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.16 Consistent with Regulatory Guide 1.9 (Ref. 3),
paragraph C.2.2.11, this Surveillance ensures that the manual synchronization and load transfer from the DG to the offsite source can be made and that the DG can be returned (continued)
PBAPS UNIT 2 B 3.8-33 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued)
REQUIREMENTS to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs.
The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the output breaker is open and can receive an auto-close signal on bus undervoltage, and individual load timers are reset.
The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 3 Technical Specifications tests the applicable logic associated with Unit 3. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 3. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODE 1, 2, or 3.. Credit may be taken for unplanned events that satisfy this SR.
SR 3.8.1.17 Consistent with Regulatory Guide 1.9 (Ref 3),
paragraph C.2.2.13, demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if a Unit 2 ECCS initiation signal is received during operation in the test mode while synchronized to either Unit 2 or a Unit 3 4 kY emergency bus. Ready-to-load operation is defined as the DG running at rated speed and voltage with the DG output breaker open.
(continued)
PBAPS UNIT 2 B 3.8-34 Revision No. 0
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)
REQUIREMENTS The requirement to automatically energize the emergency loads with offsite power ensures that the emergency loads will connect to an offsite source. This is performed by ensuring that the affected 4 kV bus remains energized following a simulated LOCA trip of the DG output breaker, and ensuring 4kV and ECCS logic performs as designed to connect all emergency loads to an offsite source. The requirement for 4kV bus loading is covered by overlapping SRs specified in Specification 3.8.1, 'AC Sources-Operating" and 3.3.5.1 "ECCS Instrumentation". In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading is verified.
The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle length.
To minimize testing of the DGs, the Note allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.18 Under accident and loss of offsite power conditions, loads are sequentially connected to the bus by individual load timers. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 10 provides a summary of the automatic loading of emergency buses.
(continued)
PBAPS UNIT 2 ,B 3.8-35 Revision No. 10
AC Sources -Operating AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 (continued)
REQUIREMENTS The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.
This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 3 Technical Specifications tests the applicable logic associated with Unit 3. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 3. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR.
SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.
This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.
The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.
(continued)
PBAPS UNIT 2 B 3.8-36 Revision No. 10
-Operating AC Sources AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 (continued)
REQUIREMENTS This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is,with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 3 Technical Specifications tests the applicable logic associated with Unit 3. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 3. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR.
SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.
The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application.
This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable.
(continued)
PBAPS UNIT 2 B 3.8-37 Revision No. 10
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued)
REQUIREMENTS The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8). This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If a DG fails one of these Surveillances, a DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.
SR 3.8.1.21 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.20) are applied only to the Unit 2 AC sources.
This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 3 AC sources are governed by the applicable Unit 3 Technical Specifications.
Performance of the applicable Unit 3 Surveillances will satisfy Unit 3 requirements, as well as satisfying this Unit 2 Surveillance Requirement. Six exceptions are noted to the Unit 3 SRs of LCO 3.8.1. SR 3.8.1.8 is excepted when only one Unit 3 offsite circuit is required by the Unit 2 Specification, since there is not a second circuit to transfer to. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, SR 3.8.1.18 (ECCS load block requirements only), and SR 3.8.1.19 are excepted since these SRs test the Unit 3 ECCS initiation signal, which is not needed for the AC sources to be OPERABLE on Unit 2.
The Frequency required by the applicable Unit 3 SR also governs performance of that SR for Unit 2.
As Noted, if Unit 3 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 3 SR 3.8.2.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 3 SR to be performed, when the (continued)
PBAPS UNIT 2 B 3.8-38 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.21 (continued)
REQUIREMENTS Unit 3 Technical Specifications exempts performance of a Unit 3 SR (However, as stated in the Unit 3 SR 3.8.2.1 Note, while performance of an SR is exempted, the SR still must be met).
REFERENCES 1. UFSAR, Sections 1.5 and 8.4.2.
- 2. UFSAR, Sections 8.3 and 8.4.
- 3. Regulatory Guide 1.9, July 1993.
- 4. UFSAR, Chapter 14.
- 6. Regulatory Guide 1.93, December 1974.
- 7. UFSAR, Section 1.5.1.
- 8. Regulatory Guide 1.108, August 1977.
- 9. Regulatory Guide 1.137, October 1979.
- 10. UFSAR, Section 8.5.
PBAPS UNIT 2 B 3.8-39 Revision No. 0
AC Sources-Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources-Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, NAC Sources-Operating."
APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 SAFETY ANALYSES and 5 and during movement of irradiated fuel assemblies in secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
In general, when the unit is shut down the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.
During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS. This allowance is in recognition that (continued)
PBAPS UNIT 2 B 3.8-40 Revision No. 0
AC Sources-Shutdown B 3.8.2 BASES APPLICABLE certain testing and maintenance activities must be SAFETY ANALYSES conducted, provided an acceptable level of risk is not (continued) exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:
- a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
- b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.
- c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
- d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.
In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power.
The AC sources satisfy Criterion 3 of the NRC Policy Statement.
LCO One offsite circuit supplying the Unit 2 onsite Class 1E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems-Shutdown," ensures that all required Unit 2 powered loads are powered from offsite power. Two OPERABLE DGs, associated with the Unit 2 onsite Class 1E power distribution subsystem(s) required OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the (continued)
PBAPS UNIT 2 B 3.8-41 Revision No. 0
AC Sources -Shutdown B 3.8.2 BASES LCO offsite circuit. In addition, some equipment that may be (continued) required by Unit 2 is powered from Unit 3 sources (e.g.,
Standby Gas Treatment (SGT) System). Therefore, one qualified circuit between the offsite transmission network and the Unit 3 onsite Class 1E AC electrical power distribution subsystem(s), and one DG (not necessarily a different DG than those being used to meet LCO 3.8.2.b requirements) capable of supplying power to one of the required Unit 3 subsystems of each of the required components must also be OPERABLE. Together, OPERABILITY of the required offsite circuit(s) and required DG(s) ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown).
The qualified Unit 2 offsite circuit must be capable of maintaining rated frequency and voltage while connected to the respective Unit 2 4 kV emergency bus(es), and of accepting required loads during an accident. Qualified offsite circuits are those that are described in the UFSAR, Technical Specification Bases Section 3.8.1 and are part of the licensing basis for the unit. A Unit 2 offsite circuit consists of the incoming breaker and disconnect to the startup and emergency auxiliary transformer, the respective circuit path to the emergency auxiliary transformer, and the circuit path to the Unit 2 4 kV emergency buses required by LCO 3.8.8, including feeder breakers to the required Unit 2 4 kV emergency buses. A qualified Unit 3 offsite circuit's requirements are the same as the Unit 2 circuit's requirements, except that the circuit path, including the feeder breakers, is to the Unit 3 4 kV emergency buses required to be OPERABLE by LCO 3.8.8.
The required DGs must be capable of starting, accelerating to rated speed and voltage, and connecting to their respective Unit 2 emergency bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the 4 kV emergency buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot and DG in standby with engine at ambient conditions. Additional (continued)
PBAPS UNIT 2 B 3.8-42 Revision No. 33
AC Sources-Shutdown B 3.8.2 BASES LCO DG capabilities must be demonstrated to meet required (continued) Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads is a required function for DG OPERABILITY. The necessary portions of the Emergency Service Water System are also required to provide appropriate cooling to each required DG.
The OPERABILITY requirements for the DG capable of supplying power to the Unit 3 powered equipment are the same as described above, except that the required DG must be capable of connecting to its respective Unit 3 4 kV emergency bus.
(Inaddition, the Unit 3 ECCS initiation logic SRs are not applicable, as described in SR 3.8.2.2 Bases.)
It is acceptable for 4 kV emergency buses to be cross tied during shutdown conditions, permitting a single offsite power circuit to supply all required buses. No automatic transfer capability is required for offsite circuits to be considered OPERABLE.
APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:
- a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;
- b. Systems needed to mitigate a fuel handling accident are available;
- c. Systems necessary to mitigate the effects of events that can lead to core'damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.
(continued)
PBAPS UNIT 2 B 3.8-43 Revision No. 0
AC Sources-Shutdown B 3.8.2 BASES (continued)
ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.
A.1 and B.1 With one or more required offsite circuits inoperable, or with one DG inoperable, the remaining required sources may be capable of supporting sufficient required features (e.g.,
system, subsystem, division, component, or device) to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.
For example, if two or more 4 kV emergency buses are required per LCO 3.8.8, one 4 kV emergency bus with offsite power available may be capable of supplying sufficient required features. By the allowance of the option to declare required features inoperable that are not powered from offsite power (Required Action A.1) or capable of being powered by the required DG (Required Action B.1),
appropriate restrictions can be implemented in accordance with the affected feature(s) LCOs' ACTIONS. Required features remaining powered from a qualified offsite power circuit, even if that circuit is considered inoperable because it is not powering other required features, are not declared inoperable by this Required Action. If a single DG is credited with meeting both LCO 3.8.2.d and one of the DG requirements of LCO 3.8.2.b, then the required features remaining capable of being powered by the DG are not declared inoperable by this Required Action, even if the DG is considered inoperable because it is not capable of powering other required features.
A.2.1. A.2.2. A.2.3. A.2.4. B.2.1. B.2.2. B.2.3. B.2.4. C.1, C.2. C.3. and C.4 With an offsite circuit not available to all required 4 kV emergency buses or one required DG inoperable, the option still exists to declare all required features inoperable (continued)
PBAPS UNIT 2 B 3.8-44 Revision No. 0
AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1. A.2.2. A.2.3. A.2.4. B.2.1. B.2.2. B.2.3. B.2.4. C.1.
C.2. C.3. and C.4 (continued)
(per Required Actions A.1 and B.1). Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With two or more required DGs inoperable, the minimum required diversity of AC power sources may not be available. It is,therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.
These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.
Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required 4 kV emergency bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a required bus is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized bus.
SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the Unit 2 AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 is not (continued)
PBAPS UNIT 2 B 3.8-45 Revision No. 0
AC Sources- Shutdown B 3.8.2 BASES SURVEILLANCE 3L8.j21 (continued)
REQUIREMENTS required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.17 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.20 is excepted because starting independence is not required with the DG(s) that is not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.
This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4 kV emergency bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit are required to be OPERABLE.
This SR is modified by a second Note. The reason for the Note is to preclude requiring the automatic functions of the DG(s) on an ECCS initiation to be functional during periods when ECCS are not required. Periods in which ECCS are not required are specified in LCO 3.5.2, "ECCS - Shutdown".
SR 3.8.2.2 This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 3 AC sources are governed by the Unit 3 Technical Specifications.
Performance of the applicable Unit 3 Surveillances will satisfy Unit 3 requirements, as well as satisfying this Unit 2 Surveillance Requirement. Seven exceptions are noted to the Unit 3 SRs of LCO 3.8.1. SR 3.8.1.8 is excepted when only one Unit 3 offsite circuit is required by the UnitZ2 Specification, since there is not a second circuit to transfer to. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, SR 3.8.1.18 (ECCS load block requirements only), and SR 3.8.1.19 are excepted since these SRs test the Unit 3 ECCS initiation signal, which is not needed for the AC sources to be OPERABLE on Unit 2. SR 3.8.1.20 is excepted since starting independence is not required with the DG(s) that is not required to be OPERABLE.
(continued)
PBAPS UNIT 2 B 3.8-46 Revision No. 16 Amendment No. 221
AC Sources- Shutdown B 3.8.2 BASES SURVEILLANCE 2R 3.8.2.2 (continued)
REQUIREMENTS The Frequency required by the applicable Unit 3 SR also governs performance of that SR for Unit 2.
As Noted, if Unit 3 is not in MODE 1, 2, or 3, the Note to Unit 3 SR 3.8.2.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 3 SR to be performed, when the Unit 3 Technical Specifications exempts performance of a Unit 3 SR or when Unit 3 is defueled. (However, as stated in the Unit 3 SR 3.8.2.1 Note,-while performance of an SR is exempted, the SR still must be met).
REFERENCES None.
U Amendment No. 221 PBAPS UNIT 2 B 3.8-47 Revision No. 16
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each of the four diesel generators (DGs) is provided with an associated storage tank which collectively have a fuel oil capacity sufficient to operate all four DGs for a period of 7 days while the DG is supplying maximum post loss of coolant accident (LOCA) load demand discussed in UFSAR, Section 8.5.2 (Ref. 1). The maximum load demand is calculated using the time dependent loading of each DG and the assumption that all four DGs are available. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Post accident electrical loading and fuel consumption is not equally shared among the DGs. Therefore, it may be necessary to transfer post accident loads between DGs or to transfer fuel oil between storage tanks to achieve 7 days of post accident operation for all four DGs. Each storage tank contains sufficient fuel to support the operation of the DG with the heaviest load for greater than 6 days.
Each DG is equipped with a day tank and an associated fuel transfer pump that will automatically transfer oil from a fuel storage tank to the day tank of the associated DG when actuated by a float switch in the day tank. Additionally, the capability exists to transfer fuel oil between storage tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks and piping are located underground.
For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level.
(continued)
PBAPS UNIT 2 B 3.8-48 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND The DG lubrication system is designed to provide sufficient (continued) lubrication to permit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. Each engine oil sump and associated lube oil storage tank contain an inventory capable of supporting a minimum of 7 days of operation. Each lube oil sump utilizes a mechanical float-type level controller to automatically maintain the sump at the 'full level running" level via gravity feed from the associated lube oil storage tank.
Onsite storage of lube oil also helps ensure a 7 day supply is maintained. This supply is sufficient to allow the operator to replenish lube oil from outside sources.
Each DG has an air start system that includes two air start receivers; each with adequate capacity for five successive normal starts on the DG without recharging the air start receiver.
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 8 (Ref. 4), and Chapter 14 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.
Since diesel fuel oil, lube oil, and starting air subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy Statement.
LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of operation at the worst case post accident time-dependent load profile. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in (continued)
PBAPS UNIT 2 B 3.8-49 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES LCO conjunction with an ability to obtain replacement supplies (continued) within 7 days, supports the availability of DGs required to shut down both the Unit 2 and Unit 3 reactors and to maintain them in a safe condition for an abnormal operational transient or a postulated DBA in one unit with loss of offsite power. DG day tank fuel oil requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, 'AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."
The starting air system is required to have a minimum capacity for five successive DG normal starts without recharging the air start receivers. Only one air start receiver per DG is required, since each air start receiver has the required capacity.
APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down both the Unit 2 and Unit 3 reactors and maintain them in a safe shutdown condition after an abnormal operational transient or a postulated DBA in either Unit 2 or Unit 3.
Because stored diesel fuel oil, lube oil, and starting air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE.
ACTIONS The Actions Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate condition entry and application of associated Required Actions.
(continued)
PBAPS UNIT 2 B 3.8-50 Revision No. 0
Lube Oil, and Starting Air Diesel Fuel Oil, Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS A.I (continued)
With fuel oil level < 31,000 gal in a storage tank (which includes margin for the unusable volume of oil), the 7 day fuel oil supply for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events such as:
- a. Full load operation required for an inadvertent start while at minimum required level; or
- b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.
This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.
B.1 With lube oil inventory < 350 gal, sufficient lube oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.
(continued)
PBAPS UNIT 2 B 3.8-51 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS L.
(continued)
This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),
contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.
Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.
D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combination of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the DG would still be capable of performing its intended function.
E.
With required starting air receiver pressure < 225 psig, sufficient capacity for five successive DG normal starts does not exist. However, as long as the receiver pressure is > 150 psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while (continued)
PBAPS UNIT 2 B 3.8-52 Revision No. 0
Oil, and Starting Air Diesel Fuel Oil, Lube Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS E.1 (continued) the air receiver pressure is restored to the required limit.
A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period.
F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.
SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate useable inventory of fuel oil in the storage tanks to support each DG's operation of all four DGs for 7 days at the worst case post accident time-dependent load profile.
The 7 day period is sufficient time to place both Unit 2 and Unit 3 in a safe shutdown condition and to bring in-replenishment fuel from an offsite location.
The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.
SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lube oil sump, lube oil storage tank, and in the warehouse) is available to support at least 7 days of full load operation for each DG.
The 350 gal requirement is conservative with respect to the DG manufacturer's consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the (continued)
PBAPS UNIT 2 B 3.8-53 Revision No. 0
Fuel Oil, Lube Oil, and Starting Air Diesel Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.2 (continued)
REQUIREMENTS capability to transfer the lube oil from its storage location to the DG to maintain adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level.
A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the plant staff.
SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding results) of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:
- a. Sample the new fuel oil in accordance with ASTM D4057-81 (Ref. 6);
- b. Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6) as discussed in Reference 7 that the sample has a kinematic viscosity at 40*C of > 1.9 centistokes and 5 4.1 centistokes (ifspecific gravity was not determined by comparison with the supplier's certification), and a flash point of 2 125F;
- c. Verify in accordance with tests specified in ASTM D1298-80 (Ref. 6) as discussed in Reference 7 that the sample has an absolute specific gravity at 60/60F of
> 0.83 and 5 0.89, or an absolute specific gravity of within 0.0016 at 60/60F when compared to the supplier's certificate, or an API gravity at 60*F of Z 27 and 5 39, or an API gravity of within 0.3 at 60'F when compared to the supplier's certification; and (continued)
PBAPS UNIT 2 B 3.8-54 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)
REQUIREMENTS
- d. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-82 (Ref. 6) as discussed in Reference 7; or verify, in accordance with ASTM D975-81 (Ref.
6), that the sample has a water and sediment content
< 0.05 volume percent when dyes have been intentionally added to fuel oil (for example due to sulfur content).
Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.
Following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-81 (Ref. 6) are met for new fuel oil when tested in accordance with ASTM D975-81 (Ref. 6) as discussed in Reference 7, except that the analysis for sulfur may be performed in accordance with ASTM D1552-79 (Ref. 6) or ASTM D2622-82 (Ref. 6) as discussed in Reference 7. These additional analyses are required by Specification 5.5.9, "Diesel Fuel Oil Testing Program," to be performed within 31 days following sampling and addition.
This 31 day requirement is intended to assure that: 1) the new fuel oil sample taken is no more than 31 days old at the time of adding the new fuel oil to the DG storage tank, and
- 2) the results of the new fuel oil sample are obtained within 31 days after addition of the new fuel oil to the DG storage tank. The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Surveillance ensures the availability of high quality fuel oil for the DGs.
Fuel oil degradation during long term storage shows up as an increase in particulate, mostly due to oxidation. The presence of particulate does not mean that the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure. The fuel oil properties which can affect diesel generator performance (flash point, cetane number, viscosity, cloud point) do not change during storage. If these properties are within specification when the fuel is placed in storage, they will remain within specification unless other non-specification petroleum products are added to the storage tanks. The addition of non-specification petroleum products is precluded by above described surveillance test program.
Particulate concentrations should be determined in accordance with ASTM D2276-78 (Ref. 6), Method A, as discussed in Reference 7 except that the filters specified (continued)
PBAPS UNIT 2 B 3.8-55 Revision No. 37
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)
REQUIREMENTS in ASTM D2276-78, (Sections 3.1.6 and 3.1.7) may have a nominal pore size up to three microns. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l.
It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. For the Peach Bottom Atomic Power Station design in which the total volume of stored fuel oil is contained in four interconnected tanks, each tank must be considered and tested separately.
The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.
SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five normal engine starts without recharging.
The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished.
The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.
SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling.
In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from (continued)
PBAPS UNIT 2 B 3.8-56 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.5 (continued)
REQUIREMENTS breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 2). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.
REFERENCES 1. UFSAR, Section 8.5.2.
- 2. Regulatory Guide 1.137, Revision 1.
- 3. ANSI N195, 1976.
- 4. UFSAR, Chapter 6.
- 5. UFSAR, Chapter 14.
- 6. ASTM Standards: D4057-81; D975-81; D1298-80; D4176-82; D1552-79; D2622-82; and D2276-78.
- 7. Letter from G. A. Hunger (PECO Energy) to USNRC Document Control Desk; Peach Bottom Atomic Power Station Units 2 and 3, Supplement 7 to TSCR 93-16, Conversion to Improved Technical Specifications; dated May 24, 1995.
PBAPS UNIT 2 B 3.8-57 Revision No. 0
DC Sources-Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-Operating BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides a source of reliable, uninterruptible 125/250 VDC power and 125 VDC control power and instrument power to Class IE and non-Class IE loads during normal operation and for safe shutdown of the plant following any plant design basis event or accident as documented in the UFSAR (Ref. 1), independent of AC power availability. The DC Electrical Power System meets the intent of the Proposed IEEE Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations (Ref. 2). The DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure.
The DC power sources provide both motive and control power, and instrument power, to selected safety related equipment, as well as to the nonsafety related equipment. There are two independent divisions per unit, designated Division I and Division II. Each division consists of two 125 VDC batteries. The two 125 VDC batteries in each division are connected in series. Each 125 VDC battery has two chargers (one normally inservice charger and one spare charger) that are exclusively associated with that battery and cannot be interconnected with any other 125 VDC battery. The chargers are supplied from separate 480 V motor control centers (MCCs). Each of these MCCs is connected to an independent emergency AC bus. Some of the chargers are capable of being supplied by Unit 3 MCCs, which receive power from a 4 kV emergency bus, via manual transfer switches. However, for a required battery charger to be considered OPERABLE when the unit is in MODE 1, 2, or 3, it must receive power from its associated Unit 2 MCC. The safety related loads between the 125/250 VDC subsystem are not transferable except for the Automatic Depressurization System (ADS) valves and logic circuits and the main steam safety/relief valves. The ADS logic circuits and valves and the main steam safety/relief valves are normally fed from the Division I DC system.
(continued)
PBAPS UNIT 2 B 3.8-58 Revision No. 0
DC Sources-Operating B 3.8.4 BASES BACKGROUND During normal operation, the DC loads are powered from the (continued) battery chargers with the batteries floating on the system.
In case of loss of normal power to the battery charger, the DC loads are powered from the batteries.
The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System-Operating,"
and LCO 3.8.8, 'Distribution System-Shutdown.'
Each battery has adequate storage capacity to carry the required load continuously for approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
Each of the unit's two DC electrical power divisions, consisting of two 125 V batteries in series, four battery chargers (two normally inservice chargers and two spare chargers), and the corresponding control equipment and interconnecting cabling, is separately housed in a ventilated room apart from its chargers and distribution centers. Each division is separated electrically from the other division to ensure that a single failure in one division does not cause a failure in a redundant division.
There is no sharing between redundant Class IE divisions such as batteries, battery chargers, or distribution panels.
The batteries for DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage for sizing the battery using the methodology in IEEE 485 (Ref. 3) is based on a traditional 1.81 volts per cell at the end of a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> load profile. The battery terminal voltage using 1.81 volts per cell is 105 V. Using the LOOP/LOCA load profile, the predicted value of the battery terminals is greater than 105 VDC at the end of the profile.
Many lE loads operate exclusively at the beginning of the profile and require greater than the design minimum terminal voltage. The analyzed voltage of the distribution panels and the MCCs is greater than that required during the LOOP/LOCA to support the operation of the IE loads during the time period they are required to operate.
Each required battery charger of DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery (continued)
PBAPS UNIT 2 B 3.8-59 Revision No. 0
DC Sources-Operating B 3.8.4 BASES BACKGROUND bank fully charged. Each battery charger has sufficient (continued) capacity to restore the battery from the design minimum charge to its fully charged state within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> while supplying normal steady state loads following a LOCA coincident with a loss of offsite power.
A description of the Unit 3 DC power sources is provided in the Bases for Unit 3 LCO 3.8.4, DC Sources-Operating."
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume that Engineered Safety Feature (ESF) systems are OPERABLE.
The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of:
- b. A worst case single failure.
The DC sources satisfy Criterion 3 of the NRC Policy Statement.
LCO The Unit 2 Division I and Division II DC electrical power subsystems, with each DC subsystem consisting of two 125 V station batteries in series, two battery chargers (one per battery), and the corresponding control equipment and interconnecting cabling supplying power to the associated bus, are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. In addition, DC control power (which provides control power for the 4 kV load circuit breakers and the feeder breakers to the 4 kV emergency bus) for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators, is provided by the Unit 3 DC electrical power subsystems.
Therefore, Unit 3 Division I and Division II DC electrical power subsystems are also required to be OPERABLE. A Unit 3 (continued)
PBAPS UNIT 2 B 3.8-60 Revision No. 0
DC Sources-Operating B 3.8.4 BASES LCO DC electrical power subsystem OPERABILITY requirements are (continued) the same as those required for a Unit 2 DC electrical power subsystem, except that the Unit 3: 1) Division I DC electrical power subsystem is allowed to consist of only the 125 V battery C, an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus; and 2)
Division II DC electrical power subsystem is allowed to consist of only the 125 V battery D, an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus. This exception is allowed only if all 250 VDC loads are removed from the associated bus. In addition, a Unit 3 battery charger can be powered from a Unit 2 AC source, (as described in the Background section of the Bases for Unit 3 LCO 3.8.4, "DC Sources-Operating"),
and be considered OPERABLE for the purposes of meeting this LCO. Thus, loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed.
APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.
The DC electrical power requirements for MODES 4 and 5 are addressed in LCO 3.8.5, "DC Sources- Shutdown."
ACTIONS A.1 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if the DC electrical power subsystem inoperability resulted in de-energization of an AC or DC bus. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A (continued)
PBAPS UNIT 2 B 3.8-61 Revision No. 0
DC Sources-Operating B 3.8.4 BASES ACTIONS A.1 (continued) results in de-energization of a Unit 2 4 kV emergency bus or a Unit 3 DC bus, Actions for LCO 3.8.7 must be immediately entered. This allows Condition A to provide requirements for the loss of a Unit 3 DC electrical power subsystem (due to performance of SR 3.8.4.7 or SR 3.8.4.8) without regard to whether a bus is de-energized. LCO 3.8.7 provides the appropriate restriction for a de-energized bus.
If one Unit 3 DC electrical power subsystem is inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. In the case of an inoperable Unit 3 DC electrical power subsystem, since a subsequent postulated worst case single failure could result in the loss of safety function, continued power operation should not exceed 7 days. The 7 day Completion Time is based upon the Unit 3 DC electrical power subsystem being inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8. Performance of these two SRs will result in inoperability of the Unit 3 DC divisional batteries since these batteries are needed for Unit 2 operation, more time is provided to restore the batteries, if the batteries are inoperable for performance of required Surveillances, to preclude the need for a dual unit shutdown to perform these Surveillances. The Unit 3 DC electrical power subsystems also do not provide power to the same type of equipment as the Unit 2 DC sources. The Completion Time also takes into account the capacity and capability of the remaining DC sources.
B.]
Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if the DC electrical power subsystem inoperability resulted in de-energization of an AC bus. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A results in de-energization of a Unit 2 4 kV emergency bus, Actions for LCO 3.8.7 must be immediately entered. This allows Condition A to provide requirements for the loss of a Unit 3 DC electrical power subsystem without regard to whether a bus is de-energized. LCO 3.8.7 provides the appropriate restriction for a de-energized bus.
(continued)
PBAPS UNIT 2 B 3.8-62 Revision No. 0
DC Sources-Operating DC Sources -Operating B 3.8.4 BASES ACTIONS B.1 (continued)
If one of the Unit 3 DC electrical power subsystems is inoperable for reasons other than Condition A, the remaining DC electrical power subsystems have .the capacity to support a safe shutdown and to mitigate an accident condition.
Since a subsequent worst case single failure could, however, result in a loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and takes into consideration the importance of the Unit 3 DC electrical power subsystem.
C.'
Condition C represents one Unit 2 division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation.
It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power.
If one of the Unit 2 DC electrical power subsystems is inoperable (e.g., inoperable battery/batteries, inoperable required battery charger/chargers, or inoperable required battery charger/chargers and associated battery/batteries),
the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is consistent with Regulatory Guide 1.93 (Ref. 4) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power division and, if the Unit 2 DC electrical power division is not restored to OPERABLE status, to prepare to initiate an orderly and safe unit shutdown. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is also consistent with the allowed time for an inoperable Unit 2 DC Distribution System division.
(continued)
PBAPS UNIT 2 B 3.8-63 Revision No. 0
DC Sources-Operating B 3.8.4 BASES ACTIONS D.1 and D.2 (continued)
If -the DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a-MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the unit to MODE 4 is consistent with the time specified in Regulatory Guide 1.93 (Ref. 4).
E.1 Condition E corresponds to a level of degradation in the DC electrical power subsystems that causes a required safety function to be lost. When more than one DC source is lost, this results in a loss of a required function, thus the plant is in a condition outside the accident analysis.
Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown.
SURVEILLANCE As Noted at the beginning of the SRs, SR 3.8.4.1 through REQUIREMENTS SR 3.8.4.8 are applicable only to the Unit 2 DC electrical power subsystems and SR 3.8.4.9 is applicable only to the Unit 3 DC electrical power subsystems.
SR 3.8.4.1 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are (continued)
PBAPS UNIT 2 B 3.8-64 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.1 (continued)
REQUIREMENTS based on the minimum cell voltage that will maintain a charged cell. This is consistent with the assumptions in the battery sizing calculations. The SR must be performed every 7 days, unless (as specified by the Note in the Frequency) the battery is on equalize charge or has been on equalize charge any time during the previous 1 day. This allows the routine 7 day Frequency to be extended until such a time that the SR can be properly performed and meaningful results obtained. The 14 day Frequency is not modified by the Note, thus regardless of how often the battery is placed on equalize charge, the SR must be performed every 14 days.
SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections or measurement of the resistance of each inter-cell, inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.
The battery connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery, and the possibility of battery damage due to heating of connections.
The Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is considered acceptable based on operating experience related to detecting corrosion trends.
SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage or deterioration does not necessarily represent a failure of (continued)
PBAPS UNIT 2 B 3.8-65 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.3 (continued)
REQUIREMENTS this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).
The 12 month Frequency for these SRs is consistent with IEEE-450 (Ref. 5), which recommends detailed visual inspection of cell condition and rack integrity on a yearly basis.
SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provides an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection.
The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR, provided visible corrosion is removed during performance of this Surveillance.
The battery connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery, and the possibility of battery damage due to heating of connections.
The 12 month Frequency of these SRs is consistent with IEEE-450 (Ref. 5), which recommends detailed visual inspection of cell condition and inspection of cell to cell and terminal connection resistance on a yearly basis.
SR 3.8.4.6 Battery charger capability requirements are based on the design capacity of the chargers. The minimum charging capacity requirement is based on the capacity to maintain the associated battery in its fully charged condition, and (continued)
PBAPS UNIT 2 B 3.8-66 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.6 (continued)
REQUIREMENTS to restore the battery to its fully charged condition following the worst case design discharge while supplying normal steady state loads. The minimum required amperes and duration ensures that these requirements can be satisfied.
The Frequency is acceptable, given battery charger reliability and the administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.
SR 3.8.4.7 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC Electrical Power System. The discharge rate and test length corresponds to the design duty cycle requirements.
The Frequency is acceptable, given the unit conditions required to perform the test and the other requirements existing to ensure adequate battery performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.
This SR is modified by two Notes. Note I allows performance of either a modified performance discharge test or a performance discharge test (described in the Bases for SR 3.8.4.8) in lieu of a service test once per 60 months provided the test performed envelops the duty cycle of the battery. This substitution is acceptable because as long as the test current is greater than or equal to the actual duty cycle of the battery, SR 3.8.4.8 represents a more severe test of battery capacity than a service test. In addition, since PBAPS refueling outage cycle is 24 months, SR 3.8.4.8 is performed every 48 months to ensure the 60 month Frequency is met. Therefore, SR 3.8.4.8 is performed in lieu of SR 3.8.4.7 every second refueling outage.
(continued)
PBAPS UNIT 2 B 3.8-67 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.7 (continued)
REQU IREMENTS The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the Electrical Distribution System, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance.
SR 3.8.4.8 A battery performance discharge test is a test of the constant current capacity of a battery, performed between 3 and 30 days after an equalize charge of the battery, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.
A battery modified performance discharge test is a simulated duty cycle consisting of just two rates; the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a.very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain greater than or equal to the minimum battery terminal voltage specified in the battery performance discharge test.
A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a performance discharge test.
Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, the discharge test may be (continued)
PBAPS UNIT 2 B 3.8-68 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued)
REQUIREMENTS used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time only if the test envelops the duty cycle of the battery.
The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 5) and IEEE-485 (Ref. 3). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.
The Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 85%
of its expected life and capacity is < 100% of the manufacturers rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity x 100% of the manufacturer's rating.
Degradation is indicated, according to IEEE-450 (Ref. 5),
when the battery capacity drops-by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. If the rate of discharge varies significantly from the previous discharge test, the absolute battery capacity may change significantly, resulting in a capacity drop exceeding the criteria specified above. This absolute battery capacity change could be a result of acid concentration in the plate material, which is not an indication of degradation.
Therefore, results of tests with significant rate differences should be discussed with the vendor and evaluated to determine if degradation has occurred. All these Frequencies, with the exception of the 24 month Frequency, are consistent with the recommendations in IEEE-450 (Ref. 5). The 24 month Frequency is acceptable, given the battery has shown no signs of degradation, the unit conditions required to perform the test and other requirements existing to ensure battery performance during these 24 month intervals. In addition, the 24 month Frequency is intended to be consistent with expected fuel cycle lengths.
(continued)
PBAPS UNIT 2 B 3.8-69 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued)
REQUIREMENTS This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The DC batteries of the other unit are exempted from this restriction since they are required to be OPERABLE by both units and the Surveillance cannot be performed in the manner required by the Note without resulting in a dual unit shutdown.
SR 3.8.4.9 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.4.1 through SR 3.8.4.8) are applied only to the Unit 2 DC electrical power subsystems. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 3 DC electrical power subsystems are governed by the Unit 3 Technical Specifications. Performance of the applicable Unit 3 Surveillances will satisfy Unit 3 requirements, as well as satisfying this Unit 2 Surveillance Requirement.
The Frequency required by the applicable Unit 3 SR also governs performance of that SR for Unit 2. As Noted, if Unit 3 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 3 SR 3.8.5.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 3 SR to be performed, when the Unit 3 Technical Specifications exempts performance of a Unit 3 SR. (However, as stated in the Unit 3 SR 3.8.5.1 Note, while performance of the SR is exempted, the SR still must be met.)
REFERENCES 1. UFSAR, Chapter 14.
- 2. 'Proposed IEEE Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations,' June 1969.
- 3. IEEE Standard 485, 1983.
(continued)
PBAPS UNIT 2 B 3.8-70 Revision No. 0
DC Sources-Operating B 3.8.4 BASES REFERENCES 4. Regulatory Guide 1.93, December 1974.
(continued)
- 5. IEEE Standard 450, 1987.
PBAPS UNIT 2 B 3.8-71 Revision No. 0
DC Sources-Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources-Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."
APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation.
The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.
The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
The DC sources satisfy Criterion 3 of the NRC Policy Statement.
LCO The Unit 2 DC electrical power subsystems, with each DC subsystem consisting of two 125 V station batteries in series, two battery chargers (one per battery), and the corresponding control equipment and interconnecting cabling supplying power to the associated bus, are required to be (continued)
PBAPS UNIT 2 B 3.8-72 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES LCO OPERABLE to support Unit 2 DC distribution subsystems (continued) required OPERABLE by LCO 3.8.8, "Distribution Systems-Shutdown." When the equipment required OPERABLE: 1) does not require 250 VDC from the DC electrical power subsystem; and 2) does not require 125 VDC from one of the two 125 V batteries of the DC electrical power subsystem, the Unit 2 DC electrical power subsystem requirements can be modified to only include one 125 V battery (the battery needed to provide power to required equipment), an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus. This exception is allowed only if all 250 VDC loads are removed from the associated bus. In addition, DC control power (which provides control power for the 4 kV load circuit breakers and the feeder breakers to the 4 kV emergency bus) for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators, is provided by the Unit 3 DC electrical power subsystems. Therefore, the Unit 3 DC electrical power subsystems needed to support required components are also required to be OPERABLE. The Unit 3 DC electrical power subsystem OPERABILITY requirements are the same as those required for a Unit 2 DC electrical power subsystem. In addition, battery chargers (Unit 2 and Unit 3) can be powered from the opposite unit's AC source (as described in the Background section of the Bases for LCO 3.8.4, 'DC Sources-Operating"), and be considered OPERABLE for the purpose of meeting this LCO.
This requirement ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown).
APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:
- a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel; (continued)
PBAPS UNIT 2 B 3.8-73 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES APPLICABILITY b. Required features needed to mitigate a fuel handling (continued) accident are available;
- c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.
ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.
A.1. A.2.1. A.2.2. A.2.3. and A.2.4 If more than one DC distribution subsystem is required according to LCO 3.8.8, the DC electrical power subsystems remaining OPERABLE with one or more DC electrical power subsystems inoperable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.
By allowance of the option to declare required features inoperable with associated DC electrical power subsystems inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. However, in many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).
(continued)
PBAPS UNIT 2 B 3.8-74 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES ACTIONS A.I. A.2.1. A.2.2. A.2.3. and A.2.4 (continued)
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.
These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.
SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.
This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC electrical power subsystems from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.
SR 3.8.5.2 This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 3 DC electrical power subsystems are governed by the Unit 3 Technical Specifications. Performance of the applicable Unit 3 Surveillances will satisfy Unit 3 requirements, as well as satisfying this Unit 2 Surveillance Requirement. The Frequency required by the applicable Unit 3 SR also governs performance of that SR for Unit 2.
(continued)
PBAPS UNIT 2 B 3.8-75 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES SURVEILLANCE SR 3.8.5.2 (continued)
REQUI REMENTS As Noted, if Unit 3 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 3 SR 3.8.5.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 3 SR to be performed, when the Unit 3 Technical Specifications exempts performance of a Unit 3 SR. (However, as stated in the Unit 3 SR 3.8.5.1 Note, while performance of an SR is exempted, the SR still must be met.)
REFERENCES 1. UFSAR, Chapter 14.
PBAPS UNIT 2 B 3.8-76 Revision No. 0
Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown."
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation.
The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit as discussed in the Bases of LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown.
Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of the NRC Policy Statement.
LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA.
Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.
APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem.
Therefore, these cell parameters are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5.
(continued)
PBAPS UNIT 2 B 3.8-77 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES (continued)
ACTIONS A.I. A.2. and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function.
Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period.
The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells.
One hour is considered a reasonable amount of time to perform the required verification.
Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A or B limits. This periodic verification is consistent with the normal Frequency of pilot cell, surveillances.
Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable.
(continued)
PBAPS UNIT 2 8 3.8-78 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES ACTIONS B.1 (continued)
When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below 40'F, also are cause for immediately declaring the associated DC electrical power subsystem inoperable.
SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 2), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells. The SR must be performed every 7 days, unless (as specified by the Note in the Frequency) the battery is on equalize charge or has been on equalize charge any time during the previous 4 days. This allows the routine 7 day Frequency to be extended until such a time that the SR can be properly performed and meaningful results obtained. The 14 day Frequency is not modified by the Note, thus regardless of how often the battery is placed on equalize charge, the SR must be performed every 14 days.
SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 2). In addition, within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a battery discharge < 100 V or within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a battery overcharge > 145 V, the battery must be demonstrated to meet Category B limits. Transients, such as motor starting transients which may momentarily cause battery voltage to drop to g 100 V, do not constitute battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also consistent with IEEE-450 (Ref. 2), which recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.
(continued)
PBAPS UNIT 2 B 3.8-79 Revision No. 0
Battery Cell Parameters Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE SR 3.8.6.3 REQUIREMENTS (continued) This Surveillance verification that the average temperature of representative cells is within limits is consistent with a recommendation of IEEE-450 (Ref. 2) that states that the temperature of electrolytes in representative cells should be determined on a quarterly basis.
Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range.
Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below.
Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.
The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 2), with the extra k inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote a to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of'transient conditions. IEEE-450 (Ref. 2) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
The Category A limit specified for float voltage is > 2.13 V per cell. This value is based on the recommendation of IEEE-450 (Ref. 2), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells.
The Category A limit specified for specific gravity for each pilot cell is > 1.195 (0.020 below the manufacturer's fully (continued)
PBAPS UNIT 2 B 3.8-80 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)
REQU IREMENTS charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity.
According to IEEE-450 (Ref. 2), the specific gravity readings are based on a temperature of 77'F (25'C).
The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3F (1.67'C) above 771F (25'C), I point (0.001) is added to the reading; 1 point is subtracted for each 3OF below 77'F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations.
Category B defines the normal parameter limits for each connected cell. The term 'connected cell' excludes any battery cell that may be jumpered out.
The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is 2 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values were developed from manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell do not mask overall degradation of the battery.
Category C defines the limit for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limit, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.
The Category C limit specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C Allowable Value for voltage is based on IEEE-450 (Ref. 2), which (continued)
PBAPS UNIT 2 B 3.8-81 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)
REQU IREMENTS states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.
The Category C limit of average specific gravity 2 1.190, is based on manufacturer's recommendations. In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged'or new cell does not mask overall degradation of the battery.
The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote b of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is
< 1 amp. This current provides, in general, an indication of overall battery condition.
Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize.
A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 2). Footnote c to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 180 days following a battery recharge after a deep discharge. Within 180 days each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements must be made within 30 days.
REFERENCES 1. UFSAR, Chapter 14.
- 2. IEEE Standard 450, 1987.
PBAPS UNIT 2 B 3.8-82 Revision No. 0
Distribution Systems -Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems-Operating BASES BACKGROUND The onsite Class lE AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems.
The primary AC distribution system for Unit 2 consists of four 4 kV emergency buses each having two offsite sources of power as well as an onsite diesel generator (DG) source.
Each 4 kV emergency bus is connected to its normal source of power via either emergency auxiliary transformer no. 2 or no. 3. During a loss of the normal supply of offsite power to the 4 kV emergency buses, the alternate supply breaker from the alternate supply of offsite power for the 4 kV emergency buses attempts to close. If all offsite sources are unavailable, the onsite emergency DGs supply power to the 4 kV emergency buses. (However, these supply breakers are not governed by this LCO; they are governed by LCO 3.8.1, "AC Sources-Operating".)
The secondary plant distribution system for Unit 2 includes 480 VAC load centers E124, E224, E324, and E424.
There are two independent 125/250 VDC electrical power distribution subsystems for Unit 2 that support the necessary power for ESF functions.
In addition, since some components required by Unit 2 receive power through Unit 3 electrical power distribution subsystems, the Unit 3 AC and DC electrical power distribution subsystems needed to support the required equipment are also addressed in LCO 3.8.7. A description of the Unit 3 AC and DC Electrical Power Distribution System is provided in the Bases for Unit 3 LCO 3.8.7, "Distribution System-Operating.'
The-list of required Unit 2 distribution buses is presented in Table B 3.8.7-1.
(continued)
PBAPS UNIT 2 B 3.8-83 Revision No. 0
Distribution Systems -Operating B 3.8.7 BASES (continued)
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6 Containment Systems.
The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining distribution systems OPERABLE during accident conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC electrical power; and
- b. A postulated worst case single failure.
The AC and DC electrical power distribution system satisfies Criterion 3 of the NRC Policy Statement.
LCO The Unit 2 AC and DC electrical power distribution subsystems are required to be OPERABLE. The required Unit 2 electrical power distribution subsystems listed in Table B 3.8.7-1 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. As stated in the Table, each division of the AC and DC electrical power distribution systems is a subsystem. In addition, since some components required by Unit 2 receive power through Unit 3 electrical power distribution subsystems (e.g., Standby Gas Treatment (SGT) System, emergency heat sink components, and DC control power for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators), the Unit 3 AC and DC (continued)
PBAPS UNIT 2 B 3.8-84 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES LCO electrical power distribution subsystems needed to support (continued) the required equipment must also be OPERABLE. The Unit 3 electrical power distribution subsystems that may be required are listed in Unit 3 Table B 3.8.7-1.
Maintaining the Unit 2 Division I and II and required-Unit 3 AC and DC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.
The Unit 2 and Unit 3 AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages. The Unit 2 and Unit 3 DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated batteries or chargers. However, when a Unit 3 DC electrical power subsystem is only required to have one 125 V battery and associated battery charger to be considered OPERABLE (as described in the LCO section of the Bases for LCO 3.8.4, "DC Sources-Operating"), the proper voltage to which the associated bus is required to be energized is lowered from 250 V to 125 V (as read from the associated battery charger).
Based on the number of safety significant electrical loads associated with each electrical power distribution component (i.e., bus, load center, or distribution panel) listed in Table B 3.8.7-1, if one or more of the electrical power distribution components within a division (listed in Table 3.8.7-1) becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required. Other electrical power distribution components such as motor control centers (MCC) and distribution panels, which help comprise the AC and DC distribution systems are not listed in Table B 3.8.7-1. The loss of electrical loads associated with these electrical power distribution components may not result in a complete loss of a redundant safety function necessary to shut down the reactor and maintain it in a safe condition. Therefore, should one or more of these electrical power distribution components become inoperable due to a failure not affecting the OPERABILITY of an electrical power distribution component listed in Table B 3.8.7-1 (e.g., a breaker supplying a single MCC fails open), the individual loads on the electrical power distribution component would be (continued)
PBAPS UNIT 2 B 3.8-85 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES LCO considered inoperable, and the appropriate Conditions and (continued) Required Actions of the LCOs governing the individual loads would be entered. If however, one or more of these electrical power distribution components is inoperable due to a failure also affecting the OPERABILITY of an electrical power distribution component listed in Table B 3.8.7-1 (e.g., loss of a 4 kV emergency bus, which results in de-energization of all electrical power distribution components powered from the 4 kY emergency bus), while these electrical power distribution components and individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4 kV emergency bus).
In addition, transfer switches between redundant safety related Unit 2 and Unit 3 AC and DC power distribution subsystems must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any transfer switches are closed, the electrical power distribution subsystem which is not being powered from its normal source (i.e., it is being powered from its redundant electrical power distribution subsystem) is considered inoperable. This applies to the onsite, safety related, redundant electrical power distribution subsystems. It does not, however, preclude redundant Class IE 4 kV emergency buses from being powered from the same offsite circuit.
APPLICABI LITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.
(continued)
PBAPS UNIT 2 B 3.8-86 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES APPLICABILITY Electrical power distribution subsystem requirements for (continued) MODES 4 and 5 and other conditions in which AC and DC electrical power distribution subsystems are required, are covered in LCO 3.8.8, Distribution Systems-Shutdown."
ACTIONS A.1 Pursuant to LCO 3.0.6, the DC Sources-Operating ACTIONS would not be entered even if the AC electrical power distribution subsystem inoperability resulted in de-energization of a required battery charger. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A results in de-energization of a required Unit 3 battery charger, Actions for LCO 3.8.4 must be immediately entered. This allows Condition A to provide requirements for the loss of a Unit 3 AC electrical power distribution subsystem without regard to whether a battery charger is de-energized. LCO 3.8.4 provides the appropriate restriction for a de-energized battery charger.
If one or more of the required Unit 3 AC electrical power distribution subsystems are inoperable, and a loss of function has not occurred as described in Condition F, the remaining AC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of certain safety functions, continued power operation should not exceed 7 days. The 7 day Completion Time takes into account the capacity and capability of the remaining AC electrical power distribution subsystems, and is based on the shortest restoration time allowed for the systems affected by the inoperable AC electrical power distribution subsystem in the respective system Specification.
B.1 If one of the Unit 3 DC electrical power distribution subsystems is inoperable, the remaining DC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of safety function, continued power operation should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time (continued)
PBAPS UNIT 2 B 3.8-87 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS B.1 (continued) reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power distribution subsystem and takes into consideration the importance of the Unit 3 DC electrical power distribution subsystem.
C.1 With one Unit 2 AC electrical power distribution subsystem inoperable, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.
The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the Unit 2 AC electrical power distribution subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
The Condition C worst scenario is one 4 kV emergency bus without AC power (i.e., no offsite power to the 4 kV emergency bus and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of Unit 2 AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining buses by stabilizing the unit, and on restoring power to the affected bus(es). The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time limit before requiring a unit shutdown in this Condition is acceptable because:
- a. There is a potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected bus(es) to the actions associated with taking the unit to shutdown within this time limit.
- b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.11, Safety Function Determination Program (SFDP).")
(continued)
PBAPS UNIT 2 B 3.8-88 Revision No. 0
Distribution Systems -Operating B 3.8.7 BASES ACTIONS C.1 (continued)
The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition C is entered while, for instance, a Unit 2 DC bus is inoperable and subsequently returned OPERABLE, this LCO may already have been not met for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This situation could lead to a total duration of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the Unit 2 AC Electrical Power Distribution System. At this time a Unit 2 DC bus could again become inoperable, and Unit 2 AC Electrical Power Distribution System could be restored OPERABLE. This could continue indefinitely.
This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."
This results in establishing the 'time zero" at the time LCO 3.8.7.a was initially not met, instead of at the time Condition C was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO 3.8.7.a indefinitely.
D.1 With one Unit 2 DC electrical power distribution subsystem inoperable, the remaining DC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.
The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the Unit 2 DC electrical power distribution subsystem must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
Condition D represents one Unit 2 electrical power distribution subsystem without adequate DC power, potentially with both the battery(s) significantly degraded and the associated charger(s) nonfunctioning. In this situation the plant is significantly more vulnerable to a complete loss of all Unit 2 DC power. It is,therefore, imperative that the operator's attention focus on (continued)
PBAPS UNIT 2 B 3.8-89 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS D.I (continued) stabilizing the plant, minimizing the potential for loss of power to the remaining electrical power distribution subsystem, and restoring power to the affected electrical power'distribution subsystem.
This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, is acceptable because of:
- a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;
- b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without DC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected subsystem;
- c. The potential for an event in conjunction with a single failure of a redundant component.
The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for DC electrical power distribution subsystems is consistent with Regulatory Guide 1.93 (Ref. 2).
The second Completion Time for Required Action D.1 establishes a limit on the maximum time allowed for any combination of required electrical power distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition D is entered while, for instance, a Unit 2 AC bus is inoperable and subsequently restored OPERABLE, LCO 3.8.7.a may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This situation could lead to a total duration of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of LCO 3.8.7.a, to restore the Unit 2 DC Electrical Power Distribution System. At this time, a Unit 2 AC bus could again become inoperable, and Unit 2 DC Electrical Power Distribution System could be restored OPERABLE. This could continue indefinitely.
(continued)
PBAPS UNIT 2 B 3.8-90 Revision No. 0
Distribution Systems -Operating B 3.8.7 BASES ACTIONS D.1 (continued)
This Completion Time allows for an exception to the normal
'time zero' for beginning the allowed outage time 'clock.'
This allowance results in establishing the "time zeros at the time LCO 3.8.7.a was initially not met, instead of at the time Condition D was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely.
E.1 and E.2 If the inoperable electrical power distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
F.]
Condition F corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one Condition is entered, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown.
SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution systems are functioning properly, with the correct circuit breaker alignment (for the AC electrical power distribution system only). The correct AC breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and power is available to each required bus. The verification of indicated power availability on the AC and DC buses (continued)
PBAPS UNIT 2 B 3.8-91 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES SURVEILLANCE SR 3.8.7.1 (continued)
REQU IREMENTS ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms. The 7 day Frequency takes into account the redundant capability of the AC and DC electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.
REFERENCES 1. UFSAR, Chapter 14.
- 2. Regulatory Guide 1.93, December 1974.
PBAPS UNIT 2 B 3.8-92 Revision No. 0
Distribution Systems-Operating B 3.8.7 Table B 3.8.7-1 (page 1 of 1)
AC and DC Electrical Power Distribution Systems TYPE VOLTAGE DIVISION I* DIVISION II*
AC buses 4160 V Emergency Buses Emergency Buses E12, E32 E22, E42 480 V Load Centers Load Centers E124, E324 E224, E424 DC buses 250 V Distribution Panel Distribution Panel 2AD18 2BD18
PBAPS UNIT 2 B 3.8-93 Revision No. 0
Distribution Systems-Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems-Shutdown BASES BACKGROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems-Operating.'
APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.
The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.
The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
The AC and DC electrical power distribution systems satisfy Criterion 3 of the NRC Policy Statement.
(continued)
PBAPS UNIT 2 B 3.8-94 Revision No. 0
Distribution Systems-Shutdown B 3.8.8 BASES (continued)
LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the Unit 2 electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.
In addition, some components that may be required by Unit 2 receive power through Unit 3 electrical power distribution subsystems (e.g., Standby Gas Treatment (SGT) System and DC control power for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators).
Therefore, Unit 3 AC and DC electrical power distribution subsystems needed to support the required equipment must also be OPERABLE.
In addition, it is acceptable for required buses to be cross-tied during shutdown conditions, permitting a single source to supply multiple redundant buses, provided the source is capable of maintaining proper frequency (if required) and voltage.
Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,
fuel handling accidents and inadvertent reactor vessel draindown).
APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:
- a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;
- b. Systems needed to mitigate a fuel handling accident are available; (continued)
PBAPS UNIT 2 B 3.8-95 Revision No. 0
Distribution Systems-Shutdown B 3.8.8 BASES APPLICABILITY c. Systems necessary to mitigate the effects of events (continued) that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
The AC and DC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.
ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.
A.1. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 Although redundant required features may require redundant electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowing the option to declare required features inoperable with associated electrical power distribution subsystems inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions.
However, in many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).
(continued)
PBAPS UNIT 2 B 3.8-96 Revision No. 0
Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS A.1. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 (continued)
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.
These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.
Notwithstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required electrical power distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.
SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystem is functioning properly, with the buses energized. The verification of indicated power availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, as well as other indications available in the control room that alert the operator to subsystem malfunctions.
REFERENCES 1. UFSAR, Chapter 14.
PBAPS UNIT 2 B 3.8-97 Revision No. 0
Refueling Equipment Interlocks B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce unit procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods.
Design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).
The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents.
One channel of instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple and the full insertion of all control rods. Additionally, inputs are provided for the loading of the refueling platform frame mounted auxiliary hoist and the loading of the refueling platform monorail mounted hoist. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to determine if all restrictions on refueling equipment operations and control rod insertion are satisfied.
A control rod not at its full-in position interrupts power to the refueling equipment and prevents operating the equipment over the reactor core when loaded with a fuel assembly. Conversely, the refueling equipment located over the core and loaded with fuel inserts a control rod withdrawal block in the Reactor Manual Control System to prevent withdrawing a control rod.
(continued)
PBAPS UNIT 2 B 3.9-1 Revision No. 29
Refueling Equipment Interlocks B 3.9.1 BASES BACKGROUND The refueling platform has two mechanical switches that open (continued) before the platform or any of its hoists are physically located over the reactor vessel. All refueling hoists have switches that open when the hoists are loaded with fuel.
The refueling interlocks use these indications to prevent operation of the refueling equipment with fuel loaded over the core whenever any control rod is withdrawn, or to prevent control rod withdrawal whenever fuel loaded refueling equipment is over the core (Ref. 2).
The hoist switches open at a load lighter than the weight of a single fuel assembly in water.
APPLICABLE The refueling interlocks are explicitly assumed in the UFSAR SAFETY ANALYSES analyses for the control rod removal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn.
A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.
Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading.
The refueling platform location switches activate at a point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core.
Refueling equipment interlocks satisfy Criterion 3 of the NRC Policy Statement.
(continued)
PBAPS UNIT 2 B 3.9-2 Revision No. 0
Interlocks Refueling Equipment Refueling Equipment Interlocks B 3.9.1 BASES (continued)
LCO To prevent criticality during refueling, the refueling interlocks ensure that fuel assemblies are not loaded with any control rod withdrawn.
To prevent these conditions from developing, the all-rods-in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform frame mounted auxiliary hoist fuel loaded, and the refueling platform monorail mounted hoist fuel loaded inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment or control rod blocks to prevent operations that could result in criticality during refueling operations.
APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks.
In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and in-vessel fuel movements are not possible.
Therefore, the refueling interlocks are not required to be OPERABLE in these MODES.
ACTIONS A.1 With one or more of the required refueling equipment interlocks inoperable, the unit must be placed in a condition in which the LCO does not apply. In-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position.
(continued)
PBAPS UNIT 2 B 3.9-3 Revision No. 29
Refueling Equipment Interlocks B 3.9.1 BASES (continued)
SURVEILLANCE SR 3.9.1.1 REQUIREMENTS Performance of a CHANNEL FUNCTIONAL TEST demonstrates each required refueling equipment interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.
The 7 day Frequency is based on engineering judgment and is considered adequate in view of other indications of refueling interlocks and their associated input status that are available to unit operations personnel.
REFERENCES 1. UFSAR, Sections 1.5.1.1, 1.5.1.8.1, 1.5.2.2.7, and 1.5.2.7.1.
- 2. UFSAR, Section 7.6.3.
- 3. UFSAR, Section 14.5.3.3.
- 4. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.9-4 Revision No. 0
Refuel Position One-Rod-Out Interlock B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce unit procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn.
The UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all-rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System).
This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3.
APPLICABLE The refueling position one-rod-out interlock is explicitly SAFETY ANALYSES assumed in the UFSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling.
A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment.
The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") prevent criticality by preventing withdrawal of more than one control rod. With one control rod withdrawn, the core will remain subcritical, thereby preventing any prompt critical excursion.
(continued)
PBAPS UNIT 2 B 3.9-5 Revision No. 0
Refuel Position One-Rod-Out Interlock B 3.9.2 BASES APPLICABLE The refuel position one-rod-out interlock satisfies SAFETY ANALYSES Criterion 3 of the NRC Policy Statement.
(continued)
LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE, and the reactor mode switch must be locked in the Refuel position to support the OPERABILITY of these channels.
APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions.
In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed.
In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1) and the control rods (LCO 3.1.3) provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.
ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality.
Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted.
(continued)
PBAPS UNIT 2 B 3.9-6 Revision No. 0
Refuel Position One-Rod-Out Interlock B 3.9.2 BASES (continued)
SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in Refuel.
During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required interlocks.
Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be OPERABLE when required. By 'locking' the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation.
The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient in view of other administrative controls utilized during refueling operations to ensure safe operation.
SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The 7 day Frequency is considered adequate because of demonstrated circuit reliability, procedural controls on control rod withdrawals, and visual and audible indications available in the control room to alert the operator to control rods not fully inserted. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Therefore, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after any control rod is withdrawn.
REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 7.6.
- 3. UFSAR, Section 14.5.3.3.
PBAPS UNIT 2 B 3.9-7 Revision No. 0
Control Rod Position B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Control Rod Position BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Reactor Manual Control System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) or the control rod block with the reactor mod-e switch in the shutdown position (LCO 3.3.2.1).
UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).
The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted. This prevents the reactor from achieving criticality during refueling operations.
APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES *during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide range neutron monitor period-short scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1).
The safety analysis for the control rod withdrawal error during refueling in the UFSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM.
The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality.
Control rod position satisfies Criterion 3 of the NRC Policy Statement.
(continued)
PBAPS UNIT 2 B 3.9-8 Revision No. 24
Control Rod Position B 3.9.3 BASES (continued)
LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.
APPLICABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality.
Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn.
In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES.
ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the UFSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.
SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained.
The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency takes into consideration the procedural controls on control rod movement during refueling as well as the redundant functions of the refueling interlocks.
REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.9-9 Revision No. 0
Control Rod Position Indication B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Control Rod Position Indication BASES BACKGROUND The full-in position indication for each control rod provides necessary information to the refueling interlocks to prevent inadvertent criticalities during refueling operations. During refueling, the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) use the full-in position indication to limit the operation of the refueling equipment and the movement of the control rods. -The absence of the full-in position indication signal for any control rod removes the all-rods-in permissive for the refueling equipment interlocks and prevents fuel loading. Also, this condition causes the refuel position one-rod-out interlock to not allow the withdrawal of any other control rod.
UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).
The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions.
APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide range neutron monitor period-short scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1).
The safety analysis for the control rod withdrawal error during refueling (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. The full-in position indication is required to be OPERABLE so that the refueling interlocks can ensure that fuel cannot be loaded with any control rod withdrawn and that no more than one control rod can be withdrawn at a time.
Control rod position indication satisfies Criterion 3 of the NRC Policy Statement.
(continued)
PBAPS UNIT 2 B 3.9-10 Revision No. 24
Control Rod Position Indication B 3.9.4 BASES (continued)
LCO Each control rod full-in position indication must be OPERABLE to provide the required input to the refueling interlocks. A full-in position indication is OPERABLE if it provides correct position indication to the refueling interlock logic.
APPLICABILITY During MODE 5, the control rods must have OPERABLE full-in position indication to ensure the applicable refueling interlocks will be OPERABLE.
In MODES 1 and 2, requirements for control rod position are specified in LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions.
ACTIONS A Note has been provided to modify the ACTIONS related to control rod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable control rod position indications provide appropriate compensatory measures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for each inoperable required control rod position indication.
A.1.1. A.1.2. A.1.3. A.2.1 and A.2.2 With one or more required full-in position indications inoperable, compensating actions must be taken to protect against potential reactivity excursions from fuel assembly insertions or control rod withdrawals. This may be accomplished by immediately suspending invessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies.
(continued)
PBAPS UNIT 2 B 3.9-11 Revision No. 0
Control Rod Position Indication B 3.9.4 BASES ACTIONS A.1.1. A.1.2. A.1.3. A.2.1 and A.2.2 (continued)
Actions must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. Suspension of invessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position.
Alternatively, actions must be immediately initiated to fully insert the control rod(s) associated with the inoperable full-in position indicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. A control rod can be electrically disarmed by disconnecting power from all four direction control valve solenoids. Actions must continue until all associated control rods are fully inserted and drives are disarmed. Under these conditions (control rod fully inserted and disarmed), an inoperable full-in position indication may be bypassed to allow refueling operations to proceed. An alternate method must be used to ensure the control rod is fully inserted (e.g., use the "OO" notch position indication).
SURVEILLANCE SR 3.9.4.1 REQUIREMENTS The full-in position indications provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-in permissive. The interlocks are actuated when the full-in position indication for any control rod is not present, since this indicates that all rods are not fully inserted. Therefore, testing of the full-in position indications is performed to ensure that when a control rod is withdrawn, the full-in position indication is not present. The full-in position indication is considered inoperable even with the control rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn. Performing the SR each time a control rod is withdrawn is considered adequate because of the procedural controls on control rod withdrawals and the visual and audible indications available in the control room to alert the operator to control rods not fully inserted.
(continued)
PBAPS UNIT 2 B 3.9-12 Revision No. 0
Control Rod Position Indication B 3.9.4 BASES (continued)
REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.9-13 Revision No. 0
Control Rod OPERABILITY- Refueling B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY-Refueling BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD)
System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under-all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System.
UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1).
The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.
APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide I range neutron monitor period-short scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1).
The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur.
Control rod OPERABILITY during refueling satisfies Criterion 3 of the NRC Policy Statement.
LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is k 940 psig and the control rod is capable of (continued)
PBAPS UNIT 2 B 3.9-14 Revision No. 24
Control Rod OPERABILITY- Refueling B 3.9.5 BASES LCO being automatically inserted upon receipt of a scram signal.
(continued) Inserted control rods have already completed their reactivity control function, and therefore, are not required to be OPERABLE.
APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical.
For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions.
ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected.
Actions must continue until the inoperable control rod(s) is fully inserted.
SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator I pressure is k 940 psig.
The 7 day Frequency takes into consideration equipment reliability, procedural controls over the scram accumulators, and control room alarms and indicating lights that indicate low accumulator charge pressures.
(continued)
PBAPS UNIT 2 B 3.9-15 Revision No. 2
Control Rod OPERABILITY-Refueling B 3.9.5 BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued)
REQUI REMENTS SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance.
This acknowledges that the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4.
REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.9-16 Revision No. 0
RPV Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 458 inches above RPV instrument zero. During refueling, this maintains a sufficient water level in the reactor vessel cavity and spent fuel pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. I and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to well below the guidelines set forth in 10 CFR 100 (Ref. 3).
APPLICABLE During movement of fuel assemblies or handling of control SAFETY ANALYSES rods, the water level in the RPV and the spent fuel pool is an implicit initial condition design parameter in the analysis of a fuel handling accident in containment postulated in Reference 1. A minimum water level of 20 ft 11 inches above the top of the RPV flange allows a partition factor of 100 to be used in the accident analysis for halogens (Ref. 1).
Analysis of the fuel handling accident inside containment is described in Reference 1. With a minimum water level of 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange) and a minimum decay time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 3).
While the worst case assumptions include the dropping of an irradiated fuel assembly onto the reactor core, the possibility exists of the dropped assembly striking the RPV flange and releasing fission products. Therefore, the minimum depth for water coverage to ensure acceptable radiological consequences is specified from the RPV flange.
Since the worst case event results in failed fuel assemblies seated in the core, as well as the dropped assembly, (continued)
PBAPS UNIT 2 . B 3.9-17 Revision No. 0
RPV Water Level B 3.9.6 BASES APPLICABLE dropping an assembly on the RPV flange will result in SAFETY ANALYSES reduced releases of fission gases. Based on this judgement, (continued) and the physical dimensions which preclude normal operation with water level 23 feet above the flange, a slight reduction in this water level (to 20 ft 11 inches above the flange) is acceptable (Ref. 3).
RPV water level satisfies Criterion 2 of the NRC Policy Statement.
LCO A minimum water level of 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange) is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits.
APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.7, "Spent Fuel Storage Pool Water Level.'
ACTIONS A.1 If the water level is < 458 inches above RPV instrument zero, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position.
(continued)
PBAPS UNIT 2 B 3.9-18 Revision No. 0
Level RPV Water RPV Water Level B 3.9.6 BASES (continued)
SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 458 inches above RPV instrument zero ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 1).
The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls on valve positions, which make significant unplanned level changes unlikely.
REFERENCES 1. UFSAR, Section 14.6.4.
- 2. UFSAR, Section 10.3.
- 3. 10 CFR 100.11.
PBAPS UNIT 2 B 3.9-19 Revision No. 0
RHR-High Water Level B 3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR)-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required in UFSAR, Section 1.5. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. The four RHR shutdown cooling subsystems have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water System.
The RHR shutdown cooling mode is manually controlled. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function.
In addition to the RHR subsystems, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal.
APPLICABLE With the unit in MODE 5, the RHR System is not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant.
The RHR System satisfies Criterion 4 of the NRC Policy Statement.
LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE and in operation in MODE 5 with irradiated fuel in the RPV and the water level 2 458 inches above RPV instrument zero. Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability.
An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a High Pressure Service Water System pump capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross-tie (continued)
PBAPS UNIT 2 B 3.9-20 Revision No. 0
RHR-High Water Level B 3.9.7 BASES LCO valve is not required to be closed; thus the valve may be (continued) opened to allow an RHR pump in one loop to discharge through the opposite recirculation loop to make a complete subsystem. In addition, the HPSW cross-tie valve may be open to allow a HPSW pump in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.
Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> exception to shut down the operating subsystem every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE and in operation in MODE 5, with irradiated fuel in the RPV and the water level x 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange), to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS); Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC)
System; and Section 3.6, Containment Systems. RHR Shutdown Cooling System requirements in MODE 5 with irradiated fuel in the RPV and the water level < 458 inches above RPV instrument zero are given in LCO 3.9.8.
ACTIONS A.I With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. In this condition, the volume of water above the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is based on decay heat removal function and (continued)
PBAPS UNIT 2 B 3.9-21 Revision No. 0
RHR-High Water Level B 3.9.7 BASES ACTIONS A-1 (continued) the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> thereafter. This will ensure continued heat removal capability.
Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove the decay heat should be the most prudent choice based on unit conditions.
B.I. B.2. B.3. and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV.
Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem for Unit 2 is OPERABLE; and secondary containment isolation capability (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability) in each associated penetration not isolated that is assumed to be isolated to mitigate radioactive releases. This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If,however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a surveillance may need to be performed to restore the component to OPERABLE status.
Actions must continue until all required components are OPERABLE.
(continued)
PBAPS UNIT 2 B 3.9-22 Revision No. 0
RHR-High Water Level B 3.9.7 BASES ACTIONS C.1 and C.2 (continued)
If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This alternate method may utilize forced or natural circulation cooling. The Completion Time is modified such that the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is applicable separately for each occurrence involving a loss of coolant circulation.
During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate.
SURVEILLANCE SR 3.9.7.1 REQUIREMENTS This Surveillance demonstrates that the RHR shutdown cooling subsystem is in operation and circulating reactor coolant.
The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR shutdown cooling subsystem in the control room.
REFERENCES None.
PBAPS UNIT 2 B 3.9-23 Revision No. 0
RHR-Low Water Level B 3.9.8 B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR)-Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required in UFSAR Section 1.5. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. The four RHR shutdown cooling subsystems have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water System.
The RHR shutdown cooling mode is manually controlled. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function.
APPLICABLE With the unit in MODE 5, the RHR System is not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant.
The RHR System satisfies Criterion 4 of the NRC Policy Statement.
LCO In MODE 5 with irradiated fuel in the RPV and the water level < 458 inches above reactor pressure vessel (RPV) instrument zero both RHR shutdown cooling subsystems must be OPERABLE.
An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a High Pressure Service Water System pump capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. The two subsystems have a common suction source and are allowed to have common discharge piping. Since piping is a passive component that is assumed not to fail, it is allowed to be common to both subsystems. In MODE 5, the RHR cross-tie valve is not required to be closed, thus the valve may be opened to allow (continued)
PBAPS UNIT 2 B 3.9-24 Revision No. 0
RHR-Low Water Level B 3.9.8 BASES LCO an RHR pump in one loop to discharge through the opposite (continued) recirculation loop to make a complete subsystem. In addition, the HPSW cross-tie valve may be open to allow a HPSW pump in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.
Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> exception to shut down the operating subsystem every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE, and one must be in operation in MODE 5, with irradiated fuel in the RPV and the water level < 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange), to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS); Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. RHR Shutdown Cooling System requirements in MODE 5 with irradiated fuel in the RPV and the water level x 458 inches above RPV instrument zero are given in LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level.'
ACTIONS A.]
With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the (continued)
PBAPS UNIT 2 B 3.9-25 Revision No. 0
RHR-Low Water Level B 3.9.8 BASES ACTIONS A.1 (continued)
LCO. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method(s) must be reconfirmed every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> thereafter. This will ensure continued heat removal capability.
Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove decay heat should be the most prudent choice based on unit conditions.
B.I. B.2. and B.3 With the required decay heat removal subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem for Unit 2 is OPERABLE; and secondary containment isolation capability (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability) in each associated penetration that is assumed to be isolated to mitigate radioactive releases. This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components.
If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.
(continued)
PBAPS UNIT 2 B 3.9-26 Revision No. 0
RHR-Low Water Level B 3.9.8 BASES ACTIONS C.1 and C.2 (continued)
If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This alternate method may utilize forced or natural circulation cooling. The Completion Time is modified such that the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is applicable separately for each occurrence involving a loss of- coolant circulation.
During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate.
SURVEILLANCE SR 3.9.8.1 REQUIREMENTS This Surveillance demonstrates that one RHR shutdown cooling subsystem is in operation and circulating reactor coolant.
The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability.
The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR shutdown cooling subsystems in the control room.
REFERENCES None.
PBAPS UNIT 2 B 3.9-27 Revision No. 0
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 when the metallurgical characteristics of the reactor pressure vessel (RPV) or plant temperature control I capabilities during these tests require the pressure testing at temperatures > 2120 F (normally corresponding to MODE 3).
Inservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (P/T) limits required by LCO 3.4.9, "Reactor Coolant System (RCS) Pressure and Temperature (P/T) Limits." These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.
With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure.
Periodic updates to the RCS P/T limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel.
Hydrostatic and leak testing may eventually be required with minimum reactor coolant temperatures > 2120F.
APPLICABLE Allowing the reactor to be considered in MODE 4 during SAFETY ANALYSES hydrostatic or leak testing, when the reactor coolant temperature is > 2120F, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the hydrostatic or leak tests are performed nearly water solid (except for an air bubble for pressure control), at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for (continued)
PBAPS UNIT 2 B 3.10-1 Revision No. 1
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE failed fuel and a subsequent increase in coolant activity SAFETY ANALYSES above the LCO 3.4.6, "RCS Specific Activity," limits are (continued) minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur during the performance of hydrostatic or leak testing. The required pressure testing conditions provide adequate assurance that the consequences of-a steam leak will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 2. Therefore, these requirements will conservatively limit radiation releases to the environment.
In the event of a large primary system leak, the reactor vessel would rapidly depressurize, allowing the low pressure core cooling systems to operate. The capability of the low pressure coolant injection and core spray subsystems, as required in MODE 4 by LCO 3.5.2, "ECCS-Shutdown," would be more than adequate to keep the core flooded under this low decay heat load condition. Small system leaks would be detected by leakage inspections before significant inventory loss occurred.
For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 212F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to P/T (continued)
PBAPS UNIT 2 B 3.10-2 Revision No. 0
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES LCO limits, however, which require testing at temperatures (continued) > 2120F, while the ASME inservice test itself requires the safety/relief valves to be gagged, preventing their OPERABILITY.
If it is desired to perform these tests while complying with this Special Operations LCO, then the MODE 4 applicable LCOs and specified MODE 3 LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to 'NA' and suspending the requirements of LCO 3.4.8, 'Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures
> 212'F for the purpose of performing either an inservice leak or hydrostatic test.
This LCO allows primary containment to be open for frequent unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements that are in effect immediately prior to and immediately after this operation.
APPLICABI LITY The MODE 4 requirements may only be modified for the performance of inservice leak or hydrostatic tests so that these operations can be considered as in MODE 4, even though the reactor coolant temperature is > 212'F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the unit to any event that may occur.
Operations in all other MODES are unaffected by this LCO.
ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation.
Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition.
Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate (continued)
PBAPS UNIT 2 B 3.10-3 Revision No. 0
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES ACTIONS compensatory measures for separate requirements that are (continued) not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
A.1 If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements are entered immediately and complied with. Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to.< 2120F.
A.2.1 and A.2.2 Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to s 212'F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3.
SURVEILLANCE SR 3.10.1.1 REQUI REMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met.
A discussion of the applicable SRs is provided in their respective Bases.
REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code,Section XI.
- 2. UFSAR, Section 14.6.5.
PBAPS UNIT 2 B 3.10-4 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 B 3.10 SPECIAL OPERATIONS B 3.10.2 Reactor Mode Switch Interlock Testing BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5.
The reactor mode switch is a conveniently located, multiposition, keylock switch provided-to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:
- a. Shutdown- Initiates a reactor scram; bypasses main steam line isolation and main condenser low vacuum scrams;
- b. Refuel -Selects Neutron Monitoring System (NMS) scram function for low neutron flux level operation (wide range neutron monitors and average power range monitor setdown scram); bypasses main steam line isolation and main condenser low vacuum scrams;
- c. Startup/Hot Standby -Selects NMS scram function for low neutron flux level operation (wide range neutron monitors and average power range monitors); bypasses main steam line isolation and main condenser low vacuum scrams; and
- d. Run-Selects NMS scram function for power range operation.
The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling interlocks, and main steam isolation valve isolations.
APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of (continued)
PBAPS UNIT 2 B 3.10-5 Revision No. 24
Reactor Mode Switch Interlock Testing B 3.10.2 BASES APPLICABLE the shutdown and refuel positions normally maintained for SAFETY ANALYSES the reactor mode switch in MODES 3, 4, and 5 are provided to (continued) preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot standby, or refuel) while in MODE 3, 4, or 5, requires administratively maintaining all control rods inserted and no other CORE ALTERATIONS in progress. With all control rods inserted in core cells containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing.
For postulated accidents, such as control rod removal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality, thereby preventing fuel failure.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1,
'Inservice Leak and Hydrostatic Testing Operation,"
LCO 3.10.3, "Single Control Rod Withdrawal-Hot Shutdown,"
LCO 3.10.4, 'Single Control Rod Withdrawal-Cold Shutdown,"
and LCO 3.10.8, "SDM Test-Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block (continued)
PBAPS UNIT 2 B 3.10-6 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 BASES LCO is initiated. Therefore, all control rods in core cells (continued) that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is appropriate for MODE 5 operations, as discussed below, and is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place.
In MODE 5, with the reactor mode switch in the refuel position, only one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, 'Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks")
appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting other CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests.
APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in unit trips. In MODES 3, 4, and 5, this Special Operations LCO is only permitted to be used to allow reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing which must be performed prior to entering another MODE.
Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e., refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests.
(continued)
PBAPS UNIT 2 B 3.10-7 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 BASES (continued)
ACTIONS A.1. A.2. A.3.1. and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations LCO.
All CORE ALTERATIONS except control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a component to a safe condition. Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1. Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is only applicable in MODE 5, since only the shutdown position is allowed in MODES 3 and 4. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended.
SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements.
The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillances performed at the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (continued)
PBAPS UNIT 2 B 3.10-8 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 BASES SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 (continued)
REQUIREMENTS Frequencies are intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.
REFERENCES 1. UFSAR, Section 7.2.3.7.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.10-9 Revision No. 0
Single Control Rod Withdrawal-Hot Shutdown B 3.10.3 B 3.10 SPECIAL OPERATIONS B 3.10.3 Single Control Rod Withdrawal-Hot Shutdown BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3.
APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of an accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.
The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.
(continued)
PBAPS UNIT 2 8 3.10-10 Revision No. 0
Single Control Rod Withdrawal-Hot Shutdown B 3.10.3 BASES APPLICABLE Alternate backup protection can be obtained by ensuring SAFETY ANALYSES that five by five array of control rods, centered on the (continued) withdrawn control rod, are inserted and incapable of withdrawal.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e.,
LCO 3.10.2, 'Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS.
However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal,' in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, 'Refuel Position One-Rod-Out Interlock,' required by this Special Operations LCO, will ensure that only one control rod can be withdrawn.
To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.1. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal, Item d.2, the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (d.2) is completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod, and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod.
(continued)
PBAPS UNIT 2 B 3.10-11 Revision No. 0
Single Control Rod Withdrawal-Hot Shutdown B 3.10.3 BASES (continued)
APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod.
This allowance is only provided with the reactor mode switch in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, Control Rod Position Indication"),
full insertion requirements for all other control rods and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation,' and LCO 3.9.5, Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, minimize potential reactivity excursions.
ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO.
(continuedI PBAPS UNIT 2 B 3.10-12 Revision No. 0
Shutdown Single Control Rod Withdrawal-Hot Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 BASES ACTIONS A.2.1 and A.2.2 (continued)
Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability.
Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.
SURVEILLANCE SR 3.10.3.1. SR 3.10.3.2. and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is acceptable because of the administrative controls on control rod withdrawal, the protection afforded by the LCOs involved, and hardwire interlocks that preclude additional control rod withdrawals.
REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 2 B 3.10-13 Revision No. 0
Single Control Rod Withdrawal-Cold Shutdown B 3.10.4 B 3.10 SPECIAL OPERATIONS 3/41_1' B 3.10.4 Single Control Rod Withdrawal-Cold Shutdown BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.
APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of an accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists.
The control rod scram function provides backup protection in the event of normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of (continued)
PBAPS UNIT 2 B 3.10-14 Revision No. 0
Single Control Rod Withdrawal-Cold Shutdown Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES APPLICABLE withdrawal. This alternate backup protection is required SAFETY ANALYSES when removing a CRD because this removal renders the (continued) withdrawn control rod incapable of being scrammed.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied.
"Withdrawal, in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn.
At the time CRD removal begins, the disconnection of the position indication probe will cause LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.2 to fail to be met. Therefore, prior to commencing CRD removal, a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained.
To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.l. Alternatively, when the scram (continued)
PBAPS UNIT 2 B 3.10-15 Revision No. 0
Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES LCO function is not OPERABLE, or when the CRD is to be removed, (continued) a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once this alternate (Item c.2) is completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod, and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod.
APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod.
This allowance is only provided with the reactor mode switch in the refuel position.
During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4),
and scram functions (LCO 3.3.1.1, 'Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, 'Control Rod OPERABILITY-Refueling'), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions.
ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.
(continued)
PBAPS UNIT 2 B 3.10-16 Revision No. 0
Withdrawal-Cold Shutdown Single Control Rod Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES ACTIONS A.1. A.2.1. and A.2.2 (continued)
If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods inserted) or with the exceptions allowed in this Special Operations LCO. Required Action A.1 has been modified by a Note that clarifies that the intent of any other LCO's Required Action is to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO.
Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods.
B.I. B.2.1. and B.2.2 If one or more of the requirements of this Special Operations-LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.
(continued)
PBAPS UNIT 2 B 3.10-17 Revision No. 0
Shutdown Single Control Rod Withdrawal-Cold Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES (continued)
SURVEILLANCE SR 3.10.4.1. SR 3.10.4.2. SR 3.10.4.3. and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met.
If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded.
Verification that all the other control rods are fully inserted is required to meet the SDM requirements.
Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is acceptable because of the administrative controls on control rod withdrawals, the protection afforded by the LCOs involved, and hardwire interlocks to preclude an additional control rod withdrawal.
SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied.
REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 2 B 3.10-18 Revision No. 0
Single CRD Removal -Refueling B 3.10.5 B 3.10 SPECIAL OPERATIONS B 3.10.5 Single Control Rod Drive (CRD) Removal-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls.
Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the
'full-in' position indicators to determine the position of all control rods. If the full-in' position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.
The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and, therefore, LCO 3.9.1, 'Refueling Equipment Interlocks," and LCO 3.9.2, 'Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY-Refueling").
(continued)
PBAPS UNIT 2 B 3.10-19 Revision No. 0
Single CRD Removal -Refueling B 3.10.5 BASES (continued)
APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of accidents. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that proper operation of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions.
Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1).
The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling.
Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and are incapable of being withdrawn, and all other control rods are inserted and incapable of being withdrawn (by insertion of a control rod block).
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
(continued)
PBAPS UNIT 2 B 3.10-20 Revision No. 0
Single CRD Removal-Refueling B 3.10.5 BASES (continued)
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS.
However, if a single CRD removal from a core cell containing one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied.
By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided. Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod.
APPLICABILITYz Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce the potential for reactivity excursions.
(continued)
PBAPS UNIT 2 B 3.10-21 Revision No. 0
Single CRD Removal -Refueling B 3.10.5 BASES (continued)
ACTIONS A.1. A.2.1] and A.2.2 If one or more of the requirements of this-Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO.
Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.
SURVEILLANCE SR 3.10.5.1. SR 3.10.5.2. SR 3.10.5.3. SR 3.10.5.4.
REQUIREMENTS and SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied.
Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is acceptable, given the administrative controls on control rod removal and hardwire interlock to block an additional control rod withdrawal.
(continued)
PBAPS UNIT 2 B 3.10-22 Revision No. 0
Single CRD Removal -Refueling B 3.10.5 BASES (continued)
REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 2 B 3.10-23 Revision No. 0
Multiple Control Rod Withdrawal-Refueling B 3.10.6 B 3.10 SPECIAL OPERATIONS B 3.10.6 Multiple Control Rod Withdrawal-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls.
Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel.
The refueling interlocks use the 'full-in" position indicators to determine the position of all control rods.
If the "full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, -the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.
To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the 'full-in" position indicators.
APPLICABLE Explicit safety analyses in the UFSAR (Refs. 1, 2, and 3)
SAFETY ANALYSES demonstrate that the functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the "full in' position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the (continued)
PBAPS UNIT 2 B 3.10-24 Revision No. 0
Multiple Control Rod Withdrawal-Refueling B 3.10.6 BASES APPLICABLE associated control rod has no reactivity control function SAFETY ANALYSES and is not required to remain inserted. Prior to reloading (continued) fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality does not occur, as evaluated in the Reference 3 analysis.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, "Control Rod Position," LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, 'Control Rod OPERABILITY-Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed.
"Withdrawal,' in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
When fuel is loaded into the core with multiple control rods withdrawn, special modified quadrant spiral reload sequences are used to ensure that reactivity additions are minimized.
Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel.
(continued)
PBAPS UNIT 2 B 3.10-25 Revision No. 0
Multiple Control Rod Withdrawal -Refueling B 3.10.6 BASES (continued)
APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all fuel to be removed from cells whose "full-in" indicators are allowed to be bypassed.
ACTIONS A.1. A.2. A.3.1. and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO.
SURVEILLANCE SR 3.10.6.1. SR 3.10.6.2. and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is acceptable, given the administrative controls on fuel assembly and control rod removal, and takes into account other indications of control rod status available in the control room.
REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 2 B 3.10-26 Revision No. 0
Control Rod Testing-Operating B 3.10.7 B 3.10 SPECIAL OPERATIONS B 3.10.7 Control Rod Testing-Operating BASES BACKGROUND The purpose of this Special Operations LCO is to permit control rod testing, while in MODES 1 and 2, by imposing certain administrative controls. Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), such that only the specified control rod sequences and relative positions required by LCO 3.1.6, 'Rod Pattern Control," are allowed over the operating range from all control rods inserted to the low power setpoint (LPSP) of the RWM. The sequences effectively limit the potential amount and rate of reactivity increase that could occur during a control rod drop accident (CRDA).
During these conditions, control rod testing is sometimes required that may result in control rod patterns not in compliance with the prescribed sequences of LCO 3.1.6.
These tests include SDM demonstrations, control rod scram time testing, control rod friction testing, and testing performed during the Startup Test Program. This Special Operations LCO provides the necessary exemption to the requirements of LCO 3.1.6 and provides additional administrative controls to allow the deviations in such tests from the prescribed sequences in LCO 3.1.6.
APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the CRDA are summarized in References 1 and 2. CRDA analyses assume the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analyses. The RWM provides backup to operator control of the withdrawal sequences to ensure the initial conditions of the CRDA analyses are not violated. For special sequences developed for control rod testing, the initial control rod patterns assumed in the safety analysis of References I and 2 may not be preserved.
Therefore special CRDA analyses are required to demonstrate that these special sequences will not result in unacceptable consequences, should a CRDA occur during the testing. These analyses, performed in accordance with an NRC approved methodology, are dependent on the specific test being performed.
(continued)
PBAPS UNIT 2 B 3.10-27 Revision No. 0
Control Rod Testing-Operating B 3.10.7 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Control rod testing may be performed in compliance with the prescribed sequences of LCO 3.1.6, and during these tests, no exceptions to the requirements of LCO 3.1.6 are necessary. For testing performed with a sequence not in compliance with LCO 3.1.6, the requirements of LCO 3.1.6 may be suspended, provided additional administrative controls are placed on the test to ensure that the assumptions of the special safety analysis for the test sequence are satisfied. Assurances that the test sequence is followed can be provided by either programming the test sequence into the RWM, with conformance verified as specified in SR 3.3.2.1.8 and allowing the RWM to monitor control rod withdrawal and provide appropriate control rod blocks if necessary, or by verifying conformance to the approved test sequence by a second licensed operator or other qualified member of the technical staff. These controls are consistent with those normally applied to operation in the startup range as defined in the SRs and ACTIONS of LCO 3.3.2.1, 'Control Rod Block Instrumentation."
APPLICABILITY Control rod testing, while in MODES 1 and 2, with THERMAL POWER greater than 10% RTP, is adequately controlled by the existing LCOs on power distribution limits and control rod block instrumentation. Control rod movement during these conditions is not restricted to prescribed sequences and can be performed within the constraints of LCO 3.2.1, 'AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," LCO 3.2.3, 'LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.3.2.1. With THERMAL POWER less than or equal to 10% RTP, the provisions of this Special Operations LCO are necessary to perform special tests that are not in conformance with the prescribed sequences of LCO 3.1.6. While in MODES 3 and 4, control rod withdrawal is,only allowed if performed in accordance with (continued)
PBAPS UNIT 2 B 3.10-28 Revision No. 0
Control Rod Testing-Operating B 3.10.7 BASES APPLICABILITY Special Operations LCO 3.10.3, 'Single Control Rod (continued) Withdrawal-Hot Shutdown," or Special Operations LCO 3.10.4, "Single Control Rod Withdrawal-Cold Shutdown," which provide adequate controls to ensure that the assumptions of the safety analyses of Reference 1 and 2 are satisfied.
During these Special Operations and while in MODE 5, the one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock,') and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, 'Control Rod OPERABILITY-Refueling"), or the added administrative controls prescribed in the applicable Special Operations LCOs, provide mitigation of potential reactivity excursions.
ACTIONS A.1 With the requirements of the LCO not met (e.g., the control rod pattern is not in compliance with the special test sequence, the sequence is improperly loaded in the RWM) the testing is required to be immediately suspended. Upon suspension of the special test, the provisions of LCO 3.1.6 are no longer excepted, and appropriate actions are to be taken to restore the control rod sequence to the prescribed sequence of LCO 3.1.6, or to shut down the reactor, if required by LCO 3.1.6.
SURVEILLANCE SR 3.10.7.1 REQUIREMENTS With the special test sequence not programmed into the RWM, a second licensed operator or other qualified member of the technical staff (i.e., personnel trained in accordance with an approved training program for this test) is required to verify conformance with the approved sequence for the test.
This verification must be performed during control rod movement to prevent deviations from the specified sequence.
A Note is added to indicate that this Surveillance does not need to be met if SR 3.10.7.2 is satisfied.
(continued)
PBAPS UNIT 2 B 3.10-29 Revision No. 0
Control Rod Testing-Operating B 3.10.7 BASES SURVEILLANCE SR 3.10.7.2 REQUIREMENTS (continued) When the RWM provides conformance to the special test sequence, the test sequence must be verified to be correctly loaded into the RWM prior to control rod movement. This Surveillance demonstrates compliance with SR 3.3.2.1.8, thereby demonstrating that the RWM is OPERABLE. A Note has been added to indicate that this Surveillance does not need to-be met if SR 3.10.7.1 is satisfied.
REFERENCES 1. NEDE-24011-P-A-US, General Electric Standard Application for Reactor Fuel, Supplement for United States, February 1991.
- 2. Letter from T. Pickens (BWROG) to G.C. Lainas (NRC)
'Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," August 15, 1986.
PBAPS UNIT 2 B 3.10-30 Revision No. 0
SDM Test - Refueling B 3.10.8 B 3.10 SPECIAL OPERATIONS B 3.10.8 SHUTDOWN MARGIN (SDM) Test-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned.
LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," reuires that adequate SDM be demonstrated following fuel movements or control rod replacement within the RPV. The demonstration must be performed prior to or within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed).
While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned.
APPLICABLE Prevention and mitigation of unacceptable reactivity SAFETY ANALYSES excursions during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the wide range neutron monitor (WRNM) period-short scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA).
(continued)
PBAPS UNIT 2 B 3.10-31 Revision No. 24
SDM Test - Refueling B 3.10.8 BASES APPLICABLE CRDA analyses assume that the reactor operator follows SAFETY ANALYSES prescribed withdrawal sequences. For SDM tests performed (continued) within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the safety analyses of References 1 and 2 may not be met.
Therefore, special CRDA analyses, performed in accordance with an NRC approved methodology, are required to demonstrate the SDM test sequence will not result in unacceptable consequences should a CRDA occur during the testing. For the purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, WRNM, APRM, and control rod coupling, the notch out mode is specified for out of sequence withdrawals.
Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their-respective Bases.
LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection beyond the normally required WRNMs, the APRMs are also required to be OPERABLE (LCO I 3.3.1.1, Functions 2a, 2.d and 2e) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a (continued)
PBAPS UNIT 2 B 3.10-32 Revision No. 36 1i0. .
SDM Test-Refueling B 3.10.8 BASES LCO second licensed operator or other qualified member of the (continued) technical staff. To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control,' (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity insertion associated with each movement.
Coupling integrity of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram. Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in progress. Furthermore, since the control rod scram function with the RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5.
APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5 with the reactor vessel head removed or the head bolts not fully tensioned. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO.
ACTIONS A.1 and A.2 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck", in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and disarmed (electrically or hydraulically) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Inserting a (continued]
PBAPS UNIT 2 B 3.10-33 Revision No. 0
SDM Test-Refueling B 3.10.8 BASES ACTIONS A.1 and A.2 (continued) control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations.
The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves.
Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation.
LCO 3.3.2.1, 'Control Rod Block Instrumentation," ACTIONS provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.
The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.
Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.
D- 1 With one or more of the requirements of this LCO not met for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.
(continued)
PBAPS UNIT 2 B 3.10-34 Revision No. 0
SDM Test - Refueling B 3.10.8 BASES (continued)
SURVEILLANCE SR 3.10.8.1. SR 3.10.8.2. and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2a, 2.d and 2e, made applicable in this Special Operations LCO, are required to have their Surveillances met to establish that this Special Operations LCO is being met. However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator or other qualified member of the technical staff. As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3). This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These surveillances provide adequate assurance that the specified test sequence is being followed.
SR 3.10.8.4 Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements.
SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the "full out" notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved as well as operating experience related to uncoupling events.
(continued)
PBAPS UNIT 2 B 3.10-35 Revision No. 36
SDM Test - Refueling B 3.10.8 BASES SURVEILLANCE SR 3.10.8.6 REQUIREMENTS (continued) CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were required, capability for rapid control rod insertion would I exist. The minimum pressure of 940 psig is well below the expected pressure of approximately 1450 psig while still ensuring sufficient pressure for rapid control rod insertion. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room.
REFERENCES 1. NEDE-24011-P-A-US, General Electric Standard Application for Reactor Fuel, Supplement for United States, February 1991.
- 2. Letter from T. Pickens (BWROG) to G.C. Lainas, NRC, "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," August 15, 1986.
PBAPS UNIT 2 B 3.10-36 Revision No. 2